Search using regex


(Nav) #1

Hi Folks,

I am searching for specific event (4624) and where targetusername doesn’t match computername.
The computer accounts in Windows is denoted by a $ at the end of the name.


So i used the regex provide in above thread. The regex ([\w-]+$) works when i test in online regexr.com
However, when i used in graylog search it failed.

My idea is to exclude all 4624 events where TargetUserName is a computer account.


(Jan Doberstein) #2

your query did not look like the one that is provided by jochen:


(Nav) #3

This regular expression
([\w-]+$)
works with java regex tester

but the same regular expression gives error in graylog search EventID:4624 AND TargetUserName:([\w-]+$)
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]


(Nav) #4


(Jochen) #5

Yes, because that’s the wrong query syntax. :wink:

Try the following query:

EventID:4624 AND TargetUserName:/.+/

Also be reminded that the regular expression has to match the complete field content if the field hasn’t been tokenized/analyzed.

See https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-regexp-query.html#regexp-syntax for details about the Lucene regular expression syntax.


(Nav) #6

i was basing it on the regex i found on the community.
I don’t have much understanding of the regex, so i do some trial and error using what is available.

([\w-]+) matches the the condition in java regex tester, but as you mentioned, it's incorrect for graylog. i have tried to use \ char for but that didn’t work.

I need to exclude all those events where name contains a computer name preceded by , something like abcd, abcdefg$, etc.


(Jochen) #7

That’s why I’ve pointed you to the documentation.


(Nav) #8

I manage to get assistance from another graylog ninja, so thought i will share the solution to help anyone who is in the same situation.
So, we enabled allow_leading_wildcard_searches=true in the server.conf file
Then i could use this search query to get all user minus computer accounts.

EventID:4624 AND NOT TargetUserName:*$


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.