Hi how do i search for unparsed logs? My dashboard show 9 sysmon logs but no matter how i vary my search string, my search only returns 1 log event
How can i search for unparsed logs?
+1
+6- Bronze 2
Are you able to share a screenshot of your search options without leaking info?
It should be pretty straight forward. Do you need to maybe increase your time or the logs you’re searching?
What variations of your search string have you tried? Does regex search change anything?
+1i use the regex .* as the search string. I extended to the max time period and it is still the same
+6- Bronze 2
Mine works doing the above, assuming you tick the regex option when using .*
When you say you see 9 logs in your dashboard, do you mean UDM, Chronicle Dashboards or maybe an external source?
+1Chronicle dashboard indicates 9 sysmon events came in but then i do a raw event regex search with .*, it only returns 1 log event. I cant see what are the other 8 sysmon events that went into chronicle.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.