Log Search Query Guide

User Guide

Overview

This guide provides information about how to effectively use Log Search on the Arctic Wolf® Arctic Wolf Portal. In general:

Search operators

These are the available search operators and their uses:

Operator Description
AND The AND operator separates individual search terms, requiring that both are present in any order in the log line.
OR The OR operator separates individual search terms, and returns results where either term is present anywhere in the log line.
NOT The NOT operator excludes the search term(s) from the results that follow NOT in the query.
( ) The parentheses operator is used to control the order of operations when you use multiple operators in your query. Without parantheses, the default precedence is NOT, followed by AND then OR.

To search for parentheses contained within log data, you must use the backslash, \, character to nullify the parantheses operation in your query.

Note: You must include a single space character on both sides of the AND, OR, and NOT operators, and you must write these operators in all capital letters.

For example, NOT aa OR bb AND cc is a valid search query to find records that do not contain 'aa', or contain both 'bb' and 'cc' in any order.

Tip: The NOT aa OR bb AND cc query is equivalent to (NOT aa) OR (bb AND cc).

Tab character searches

Include tab whitespace characters in your search query if you want to search for a Microsoft Event Log that is formatted with a tab whitespace character, 0x09, on either side of the event code, such as the login failure code 4625, include the tab characters. This prevents matching other sequences that contain 4625, like timestamps or UUIDs. You can add the tab whitespace character into the search field using the tab option on the search bar, Tab button.

To search for all login attempts, failed or successful for jsmith, search for:

MSWinEventLog AND (   4624   OR   4625   ) AND jsmith

Where there is a tab whitespace character before and after each event code, and a single space on either side of the OR operator.

Reserved characters

There are reserved characters that you cannot use in queries. Queries that contain any of these characters are invalid:

The list of reserved characters is subject to change based on system requirements or technical restrictions. Changes are usually applied for non-printable characters in the low-ASCII range, 0x00 to 0x1F or high UTF-8 range.

Sample search queries

These are some sample search queries:

Query Anticipated search result Match Description
error code: 400 Authorization failed with error code: 400 Yes There is an exact match for the search string in the log line.
error code: 400 Aborted operation returned error code: 4009217 Yes Although extra characters follow the search term, there is an exact substring match.
error code: 400 HTTP request failure error code: 400 No The character following the colon is a tab character, 0x09, and not a space, 0x20 in the raw log line, and therefore does not match the query.
error code: 400 HTTP request failure error code: 400 No There are two spaces, instead of a single space, following the colon in the raw log line, so there is not an exact match to the query.
error code: 400 Device code error: 400 No All words are present in the log line, but the order of the words do not match the search query.
jsmith AND "failed login" ERROR:: failed login for user: jsmith No The quotation marks do not function as operators in this context. Quotation marks are included in the search string, and there is no exact match for that string.

Note: By default, Log Search always searches for an exact match.
jsmith AND (fail OR denied) ERROR:: failed login for user: jsmith Yes The first search term and only one of the OR terms appear in the search results.

Note: The word fail is a substring of failed since wildcards on both sides of a search string are implied.
jsmith AND (fail OR denied) Permission denied to 'jsmith' attempting deletion of object 0x943150897 Yes The first search term and one of the OR terms appear in the search results.
jsmith AND (fail OR denied) Login denied: user 'ajsmith' failed verification question Yes All the search terms appear in the log line.
HTTP (404) HTTP (404) POST /widgets/missing No Invalid syntax because the parantheses function as operators in thie search query. This syntax returns an error similar to Query contains syntax error(s): 'HTTP (404)' at position: 6.
HTTP \(404)\

Tip: Add backslash characters to render the parantheses in this query as normal characters in the search string.
HTTP (404) POST /widgets/missing Yes The search string appears in the log line.

Tip: The backslash characters render the parantheses in this query as normal characters in the search string.

Troubleshooting

If you have further questions about Log Search, contact your Concierge Security Team® (CST).

See also

Log Search User Guide