Raw Log Search Query Syntax
Raw Log Search Direct link to this section
Raw Log Search is a licensed Managed Detection and Response (MDR) add-on feature that lets you query the Arctic Wolf platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to build queries for operational and security-related tasks, such as validating a configuration change or investigating a security alert.
Tip: You can also query the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View event logs in the Arctic Wolf Unified Portal User Guide for details.
Query syntax Direct link to this section
- Queries rely on exact matching, including whitespaces, quotation marks, and special characters.
- Queries are case-sensitive by default. You can deselect the Case sensitive box to ignore capitalization.
- Queries can include these search operators:
AND,OR,NOT, and( ). See Search operators for more information. You must include a single space character on both sides of the AND, OR, and NOT operators, and you must write these operators in all capital letters. - Queries must contain at least 2 non-whitespace characters. Queries with only one non-whitespace character, such as
aorb, are invalid. - Queries must not contain more than 1000 characters including whitespace characters. Queries exceeding this length are invalid. Note that UTF-8 characters, such as an emoji, may count as multiple characters.
- Wildcard characters such as
*or?are not supported. Since all search terms are substring matched, the*operator is already implied on either side of the term. For example, searching forerroris equivalent to searching for*error*.
Tip: Click Examples and select an option to add a preset query with the required syntax to the Search field. See Run a search query in the Raw Log Search User Guide for details.
Search operators Direct link to this section
These are the available search operators and their uses:
| Operator | Description |
|---|---|
| AND | The AND operator separates individual search terms, requiring that both are present in any order in the log line. |
| OR | The OR operator separates individual search terms, and returns results where either term is present anywhere in the log line. |
| NOT | The NOT operator excludes the search term(s) from the results that follow NOT in the query. |
| ( ) | The parentheses operator is used to control the order of operations when you use multiple operators in your query. Without parentheses, the default precedence is NOT, followed by AND then OR. To search for parentheses contained within log data, you must use the backslash, \, character to nullify the parentheses operation in your query. |
Note: You must include a single space character on both sides of the AND, OR, and NOT operators, and you must write these operators in all capital letters.
For example:
NOT aa OR bb AND ccis a valid search query to find records that do not contain'aa', or contain both'bb'and'cc'in any order.NOT aa OR bb AND ccis equivalent to(NOT aa) OR (bb AND cc).
Tab character searches Direct link to this section
Include tab whitespace characters in your search query if you want to search for a Microsoft Event Log that is formatted with a tab whitespace character, 0x09, on either side of the event code. For example, the login failure code 4625 includes tab characters. This prevents the query from matching other sequences that contain 4625, like timestamps or UUIDs. You can add a tab whitespace character into the search field using the Indent option on the search bar.
For example, to search for all login attempts, failed or successful for jsmith, search for:
MSWinEventLog AND ( 4624 OR 4625 ) AND jsmithNote that there is a tab whitespace character before and after each event code, and a single space on either side of the OR operator.
Reserved characters Direct link to this section
There are reserved characters that you cannot use in queries. Queries that contain any of these characters are invalid:
- The line feed/new line, character,
0x0A, often represented as\n. - The carriage return character,
0x0D, often represented as\r. - The vertical tab character,
0x0B, often represented as\v. - The form feed character,
0x0C, often represented as\f. - The shift out and shift in characters,
0x0Eand0x0F.
The list of reserved characters is subject to change based on system requirements or technical restrictions. Changes are usually applied for non-printable characters in the low-ASCII range, 0x00 to 0x1F or high UTF-8 range.
Examples of Raw Log Search queries Direct link to this section
The following examples illustrate how you can modify your query syntax to refine your search:
| Query | Anticipated search result | Match | Description |
|---|---|---|---|
error code: 400 |
Authorization failed with error code: 400 | Yes | There is an exact match for the search string in the log line. |
error code: 400 |
Aborted operation returned error code: 4009217 | Yes | Although extra characters follow the search term, there is an exact substring match. |
error code: 400 |
HTTP request failure error code: 400 | No | The character following the colon is a tab character, 0x09, and not a space, 0x20 in the raw log line, and therefore does not match the query. |
error code: 400 |
HTTP request failure error code: 400 | No | There are two spaces, instead of a single space, following the colon in the raw log line, so there is not an exact match to the query. |
error code: 400 |
Device code error: 400 | No | All words are present in the log line, but the order of the words do not match the search query. |
jsmith AND "failed login" |
ERROR:: failed login for user: jsmith | No | The quotation marks do not function as operators in this context. Quotation marks are included in the search string, and there is no exact match for that string. Note: By default, Raw Log Search always searches for an exact match. |
jsmith AND (fail OR denied) |
ERROR:: failed login for user: jsmith | Yes | The first search term and only one of the OR terms appear in the search results. Note: The word fail is a substring of failed since wildcards on both sides of a search string are implied. |
jsmith AND (fail OR denied) |
Permission denied to 'jsmith' attempting deletion of object 0x943150897 | Yes | The first search term and one of the OR terms appear in the search results. |
jsmith AND (fail OR denied) |
Login denied: user 'ajsmith' failed verification question | Yes | All the search terms appear in the log line. |
HTTP (404) |
HTTP (404) POST /widgets/missing | No | Invalid syntax because the parentheses function as operators in this search query. This syntax returns an error similar to Query contains syntax error(s): 'HTTP (404)' at position: 6. Tip: Add backslash characters to render the parentheses in this query as normal characters in the search string. |
HTTP \(404\) |
HTTP (404) POST /widgets/missing | Yes | The search string appears in the log line. |
Get help Direct link to this section
- If you have questions about Raw Log Search, contact your Concierge Security® Team (CST).