Trying to exclude accounts with $

ThomasPowers · April 11, 2019, 3:00pm

Hello GL friends!!

So here’s a hopefully simple query question.

I have a windows event, 4624 to be specific tracking successful windows logons. In my search I am trying to exclude the computer accounts that show up as $ names so that all I get are the actual users that logged in.

Here’s the search I’m using:

EventID:4624 AND LogonType:3 AND NOT (WorkstationName:-) AND NOT (TargetUserName:HealthMailbox* OR TargetUserName:“ANONYMOUS LOGON”)

And I get these accounts as a sample result:

I’m trying to exclude the accounts with a $ at the end. How can I do that in my search?

Thanks

TP

tmacgbay · April 11, 2019, 5:13pm

I am pretty new at regex but this worked for me:

NOT winlogbeat_event_data_TargetUserName:/.*$/

ThomasPowers · April 11, 2019, 5:17pm

That worked!! Thanks

TP

system · April 25, 2019, 5:24pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows Event (Winlogbeat) Exclude User Graylog Central (peer support) sidecar , winlogbeat	8	2228	March 16, 2021
Deleting event logs before Elasticsearch Graylog Central (peer support) sidecar , winlogbeat	4	1169	April 29, 2019
Search to Exclude Computer names Graylog Central (peer support)	5	1158	January 29, 2021
Filtering Windows logs on input Graylog Central (peer support) sidecar , winlogbeat	2	1768	September 1, 2017
Excluding Character when Searching Graylog Central (peer support)	2	767	February 25, 2019

Trying to exclude accounts with $

Related topics