Search using regex

Hi Folks,

I am searching for specific event (4624) and where targetusername doesn’t match computername.
The computer accounts in Windows is denoted by a $ at the end of the name.

So i used the regex provide in above thread. The regex ([\w-]+$) works when i test in online
However, when i used in graylog search it failed.

My idea is to exclude all 4624 events where TargetUserName is a computer account.

your query did not look like the one that is provided by jochen:

1 Like

This regular expression
works with java regex tester

but the same regular expression gives error in graylog search EventID:4624 AND TargetUserName:([\w-]+$)
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]

Yes, because that’s the wrong query syntax. :wink:

Try the following query:

EventID:4624 AND TargetUserName:/.+/

Also be reminded that the regular expression has to match the complete field content if the field hasn’t been tokenized/analyzed.

See for details about the Lucene regular expression syntax.

i was basing it on the regex i found on the community.
I don’t have much understanding of the regex, so i do some trial and error using what is available.

([\w-]+) matches the the condition in java regex tester, but as you mentioned, it's incorrect for graylog. i have tried to use \ char for but that didn’t work.

I need to exclude all those events where name contains a computer name preceded by , something like abcd, abcdefg$, etc.

That’s why I’ve pointed you to the documentation.

I manage to get assistance from another graylog ninja, so thought i will share the solution to help anyone who is in the same situation.
So, we enabled allow_leading_wildcard_searches=true in the server.conf file
Then i could use this search query to get all user minus computer accounts.

EventID:4624 AND NOT TargetUserName:*$

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.