Skip to main content

Forwarder Regex Filtering

  • September 3, 2024
  • 2 replies
  • 86 views
JaredBloomberg
Forum|alt.badge.img+4

Hello,

I have some Windows logs that I would like to drop at the forwarder before they are ingested into the SIEM using the regex functionality documented here https://cloud.google.com/chronicle/docs/install/forwarder-linux#set_regular_expression_filters

For the particular event ID that I am filtering I only want to match raw logs that include the C$, IPC$, or ADMIN$ shares and drop everything else. The problem that I am running into is that negative lookaheads are the go-to way to do something like this with regex, for example...

 

(?!C|IPC|ADMIN)

 

...which apparently are not supported here. If I understand the documentation correctly I also cannot use a capture group in a filter set to "allow" what I want and then a subsequent filter to "block" everything else since the "block" takes precedence over the "allow" and would block everything.

Is there some other way to selectively ingest raw logs on a forwarder, with or without regex, that I am overlooking?

2 replies

maxjunker
Forum|alt.badge.img+4
  • maxjunkerBronze 4
  • Bronze 4
  • September 4, 2024

Hello,

You're absolutely right that RE2, which is used by Google Chronicle's forwarder, does not support negative lookaheads. However, you can achieve what you're aiming for (ingesting logs with a specific event ID that include the C$, IPC$, or ADMIN$ shares) using the allow filter functionality.

Solution: Use an Allow Filter

Instead of trying to filter out logs using negative lookaheads, you can configure an allow filter that will only accept logs that match both your event ID and the specific share names (C$, IPC$, ADMIN$). By using an allow filter, you ensure that only logs containing those patterns are ingested, and anything else is dropped.

Example Configuration:

Here’s how the configuration would look for your specific case:

regex_filters:
allow_filter:
regexp: .*EventID=5140.*\\\\(C\\$|IPC\\$|ADMIN\\$)
behavior_on_match: allow

 

  • EventID=5140: This part of the regex filters for logs containing this particular event ID (you can adjust it for the event ID you're targeting).
  • \\\\(C\\$|IPC\\$|ADMIN\\$): This part ensures the log contains one of the share names C$, IPC$, or ADMIN$.
  • Allow Filter: By using an allow filter, the forwarder will automatically block any logs that don't match this pattern.

You're also correct that block filters take precedence over allow filters. This means that if you have any block filters in place, they will override the allow filter and block logs, even if they match the allow condition. To avoid this, ensure there are no conflicting block filters that might block the logs you're trying to allow.

 

 

 

JaredBloomberg
Forum|alt.badge.img+4
  • JaredBloomberg
  • Author
  • New Member
  • September 4, 2024

Hello,

You're absolutely right that RE2, which is used by Google Chronicle's forwarder, does not support negative lookaheads. However, you can achieve what you're aiming for (ingesting logs with a specific event ID that include the C$, IPC$, or ADMIN$ shares) using the allow filter functionality.

Solution: Use an Allow Filter

Instead of trying to filter out logs using negative lookaheads, you can configure an allow filter that will only accept logs that match both your event ID and the specific share names (C$, IPC$, ADMIN$). By using an allow filter, you ensure that only logs containing those patterns are ingested, and anything else is dropped.

Example Configuration:

Here’s how the configuration would look for your specific case:

regex_filters:
allow_filter:
regexp: .*EventID=5140.*\\\\(C\\$|IPC\\$|ADMIN\\$)
behavior_on_match: allow

 

  • EventID=5140: This part of the regex filters for logs containing this particular event ID (you can adjust it for the event ID you're targeting).
  • \\\\(C\\$|IPC\\$|ADMIN\\$): This part ensures the log contains one of the share names C$, IPC$, or ADMIN$.
  • Allow Filter: By using an allow filter, the forwarder will automatically block any logs that don't match this pattern.

You're also correct that block filters take precedence over allow filters. This means that if you have any block filters in place, they will override the allow filter and block logs, even if they match the allow condition. To avoid this, ensure there are no conflicting block filters that might block the logs you're trying to allow.

 

 

 


I think I follow but I am still a little fuzzy on the overall logic. The documentation says that in the absence of any filters the default behavior is to allow all but if you explicitly configure an allow filter then anything that doesn't match that will be blocked - does that mean that if I configure a filter for the C|IPC|ADMIN shares per your recommendation and have no other filters in place that all other logs that do not contain those shares will be blocked? Would I need another allow filter at the bottom that simply has a '.*' in order to allow everything else?

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.