Hi Folks,
I am searching for specific event (4624) and where targetusername doesn’t match computername.
The computer accounts in Windows is denoted by a $ at the end of the name.
So i used the regex provide in above thread. The regex ([\w-]+$) works when i test in online regexr.com
However, when i used in graylog search it failed.
My idea is to exclude all 4624 events where TargetUserName is a computer account.
This regular expression
([\w-]+$)
works with java regex tester
but the same regular expression gives error in graylog search EventID:4624 AND TargetUserName:([\w-]+$)
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Yes, because that’s the wrong query syntax. 
Try the following query:
EventID:4624 AND TargetUserName:/.+/
Also be reminded that the regular expression has to match the complete field content if the field hasn’t been tokenized/analyzed.
See https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-regexp-query.html#regexp-syntax for details about the Lucene regular expression syntax.
i was basing it on the regex i found on the community.
I don’t have much understanding of the regex, so i do some trial and error using what is available.
([\w-]+) matches the the condition in java regex tester, but as you mentioned, it's incorrect for graylog. i have tried to use \ char for but that didn’t work.
I need to exclude all those events where name contains a computer name preceded by , something like abcd, abcdefg$, etc.
I manage to get assistance from another graylog ninja, so thought i will share the solution to help anyone who is in the same situation.
So, we enabled allow_leading_wildcard_searches=true in the server.conf file
Then i could use this search query to get all user minus computer accounts.
EventID:4624 AND NOT TargetUserName:*$
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.