Hello,
You're absolutely right that RE2, which is used by Google Chronicle's forwarder, does not support negative lookaheads. However, you can achieve what you're aiming for (ingesting logs with a specific event ID that include the C$, IPC$, or ADMIN$ shares) using the allow filter functionality.
Solution: Use an Allow Filter
Instead of trying to filter out logs using negative lookaheads, you can configure an allow filter that will only accept logs that match both your event ID and the specific share names (C$, IPC$, ADMIN$). By using an allow filter, you ensure that only logs containing those patterns are ingested, and anything else is dropped.
Example Configuration:
Here’s how the configuration would look for your specific case:
regex_filters:
allow_filter:
regexp: .*EventID=5140.*\\\\(C\\$|IPC\\$|ADMIN\\$)
behavior_on_match: allow
- EventID=5140: This part of the regex filters for logs containing this particular event ID (you can adjust it for the event ID you're targeting).
- \\\\(C\\$|IPC\\$|ADMIN\\$): This part ensures the log contains one of the share names C$, IPC$, or ADMIN$.
- Allow Filter: By using an allow filter, the forwarder will automatically block any logs that don't match this pattern.
You're also correct that block filters take precedence over allow filters. This means that if you have any block filters in place, they will override the allow filter and block logs, even if they match the allow condition. To avoid this, ensure there are no conflicting block filters that might block the logs you're trying to allow.
Hello,
You're absolutely right that RE2, which is used by Google Chronicle's forwarder, does not support negative lookaheads. However, you can achieve what you're aiming for (ingesting logs with a specific event ID that include the C$, IPC$, or ADMIN$ shares) using the allow filter functionality.
Solution: Use an Allow Filter
Instead of trying to filter out logs using negative lookaheads, you can configure an allow filter that will only accept logs that match both your event ID and the specific share names (C$, IPC$, ADMIN$). By using an allow filter, you ensure that only logs containing those patterns are ingested, and anything else is dropped.
Example Configuration:
Here’s how the configuration would look for your specific case:
regex_filters:
allow_filter:
regexp: .*EventID=5140.*\\\\(C\\$|IPC\\$|ADMIN\\$)
behavior_on_match: allow
- EventID=5140: This part of the regex filters for logs containing this particular event ID (you can adjust it for the event ID you're targeting).
- \\\\(C\\$|IPC\\$|ADMIN\\$): This part ensures the log contains one of the share names C$, IPC$, or ADMIN$.
- Allow Filter: By using an allow filter, the forwarder will automatically block any logs that don't match this pattern.
You're also correct that block filters take precedence over allow filters. This means that if you have any block filters in place, they will override the allow filter and block logs, even if they match the allow condition. To avoid this, ensure there are no conflicting block filters that might block the logs you're trying to allow.
I think I follow but I am still a little fuzzy on the overall logic. The documentation says that in the absence of any filters the default behavior is to allow all but if you explicitly configure an allow filter then anything that doesn't match that will be blocked - does that mean that if I configure a filter for the C|IPC|ADMIN shares per your recommendation and have no other filters in place that all other logs that do not contain those shares will be blocked? Would I need another allow filter at the bottom that simply has a '.*' in order to allow everything else?
