Search using regex

v_2nas · February 23, 2018, 5:13am

Hi Folks,

I am searching for specific event (4624) and where targetusername doesn’t match computername.
The computer accounts in Windows is denoted by a $ at the end of the name.

So i used the regex provide in above thread. The regex ([\w-]+$) works when i test in online regexr.com
However, when i used in graylog search it failed.

My idea is to exclude all 4624 events where TargetUserName is a computer account.

jan · February 23, 2018, 8:07am

your query did not look like the one that is provided by jochen:

v_2nas · February 23, 2018, 8:30am

This regular expression
([\w-]+$)
works with java regex tester

but the same regular expression gives error in graylog search EventID:4624 AND TargetUserName:([\w-]+$)
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]

v_2nas · February 23, 2018, 8:45am

jochen · February 23, 2018, 8:46am

Yes, because that’s the wrong query syntax.

Try the following query:

EventID:4624 AND TargetUserName:/.+/

Also be reminded that the regular expression has to match the complete field content if the field hasn’t been tokenized/analyzed.

See https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-regexp-query.html#regexp-syntax for details about the Lucene regular expression syntax.

v_2nas · February 23, 2018, 8:57am

i was basing it on the regex i found on the community.
I don’t have much understanding of the regex, so i do some trial and error using what is available.

([\w-]+) matches the the condition in java regex tester, but as you mentioned, it's incorrect for graylog. i have tried to use \ char for but that didn’t work.

I need to exclude all those events where name contains a computer name preceded by , something like abcd, abcdefg$, etc.

jochen · February 23, 2018, 9:31am

That’s why I’ve pointed you to the documentation.

v_2nas · March 9, 2018, 7:36am

I manage to get assistance from another graylog ninja, so thought i will share the solution to help anyone who is in the same situation.
So, we enabled allow_leading_wildcard_searches=true in the server.conf file
Then i could use this search query to get all user minus computer accounts.

EventID:4624 AND NOT TargetUserName:*$

system · March 23, 2018, 7:36am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.