Raw Log Search Query SyntaxUpdated Sep 19, 2023
Raw Log Search is a licensed Managed Detection and Response (MDR) add-on feature that lets you search the Arctic Wolf platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to retrieve logs in raw format for operational and security-related tasks, such as validating a configuration change or investigating a security alert.
Tip: You can also search the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View event logs in the Arctic Wolf Unified Portal User Guide for details.
In Raw Log Search, you can write a complex search expression to run a refined search. A complex search expression includes conditional logic that is designed to limit the number of matches. This logic is expressed as a combination of search words and operators.
The syntax, or rules, for writing a complex search expression is as follows:
- Search expressions rely on exact matching, including whitespaces, quotation marks, and special characters.
- Search expressions are case-sensitive by default. You can deselect the Case sensitive option to ignore capitalization.
- A search expression can include these search operators:
( ). See Search operators for more information. You must include a single space character on both sides of the AND, OR, and NOT operators, and you must write these operators in all capital letters.
- A search expression can have no more than 10 operators.
- A search expression must contain at least 2 non-whitespace characters. Search expressions with only one non-whitespace character, such as
b, are invalid.
- A search expressions must not contain more than 1000 characters including whitespace characters. Search expressions that exceed this length are invalid. Note that UTF-8 characters, such as an mathematical symbol, may count as multiple characters.
- Wildcard characters such as
?are not supported. Since all search expressions are substring matched, the
*wildcard character is already implied on either side of the search word. For example, searching for
erroris equivalent to searching for
- Raw logs from some log sources include tab characters. Tab characters are searchable. See Tab character searches for more information.
- Some characters are reserved. Search expressions that contain reserved characters are invalid. See Reserved characters.
Using a query template is a way of ensuring that a search expression has the correct syntax. In Raw Log Search, you can choose from a list of frequently run searches to add a search expression to the Search field. See Run a search in the Raw Log Search User Guide for detailed steps.
Tip: Start with a query template that is similar to the search you want to run. Then, modify the search expression as desired.
These are the available search operators and their uses:
|( )||The parentheses operator is used to control the order of operations when you use multiple operators in your search expression. Without parentheses, the default precedence is
To search for parentheses contained within log data, you must use the backslash,
NOT aa OR bb AND ccis a valid search expression to find records that do not contain
'aa', or contain both
'cc'in any order.
NOT aa OR bb AND ccis equivalent to
(NOT aa) OR (bb AND cc).
You must include a single space character on both sides of the AND, OR, and NOT operators, and you must write these operators in all capital letters.
A search expression can have up to 10 operators.
Include tab whitespace characters in your search expression if you want to search for a Microsoft Event Log that is formatted with a tab whitespace character,
0x09, on either side of the event code. For example, the login failure code 4625 includes tab characters. This prevents the search expression from matching other sequences that contain 4625, like timestamps or UUIDs. You can add a tab whitespace character into the search field using the Indent option on the search bar.
For example, to search for all login attempts, failed or successful for
jsmith, search for:
MSWinEventLog AND ( 4624 OR 4625 ) AND jsmith
Note that there is a tab whitespace character before and after each event code, and a single space on either side of the OR operator.
There are reserved characters that you cannot use in search expressions. Search expressions that contain any of the following characters are invalid:
- The line feed/new line character,
0x0A, often represented as
- The carriage return character,
0x0D, often represented as
- The vertical tab character,
0x0B, often represented as
- The form feed character,
0x0C, often represented as
- The shift out and shift in characters,
This list of reserved characters is subject to change based on system requirements or technical restrictions. Changes are usually applied for non-printable characters in the low-ASCII range,
0x1F or high UTF-8 range.
The following examples illustrate how you can modify your search expression syntax to refine your search:
|Search expression||Anticipated search result||Match||Description|
||Authorization failed with error code: 400||Yes||There is an exact match for the search string in the log line.|
||Aborted operation returned error code: 4009217||Yes||Although extra characters follow the search term, there is an exact substring match.|
||HTTP request failure error code: 400||No||The character following the colon is a tab character,
||HTTP request failure error code: 400||No||There are two spaces, instead of a single space, following the colon in the raw log line, so there is not an exact match to the search expression.|
||Device code error: 400||No||All words are present in the log line, but the order of the words do not match the search expression.|
||ERROR:: failed login for user: jsmith||Yes||The query matches logs that contain
||ERROR:: failed login for user: jsmith||Yes||The first search term and only one of the OR terms appear in the search results.
Note: The word
||Permission denied to 'jsmith' attempting deletion of object 0x943150897||Yes||The first search term and one of the OR terms appear in the search results.|
||Login denied: user 'ajsmith' failed verification question||Yes||All the search terms appear in the log line.|
||HTTP (404) POST /widgets/missing||No||Invalid syntax because the parentheses function as operators in this search expression. This syntax returns an error similar to
Tip: Add backslash characters to render the parentheses in this search expression as normal characters in the search string.
||HTTP (404) POST /widgets/missing||Yes||The search string appears in the log line.|
||ERROR:: "failed login"||Yes||The query only matches logs that contain the exact terms, including whitespace and quotes.|
- If you have questions about Raw Log Search, contact your Concierge Security® Team (CST).