Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid query filter when try to filter field contains spaces and backslashes #5266

Closed
krzotr opened this issue Nov 5, 2018 · 1 comment
Closed
Assignees
Labels
Milestone

Comments

@krzotr
Copy link

@krzotr krzotr commented Nov 5, 2018

I found bug in Graylog 2.4.6, on 3.0.0-alpha.3+7530b69 everything is OK

Please see my short video:

graylog-server

  1. I have a field called path which contains the location of calc.exe - C:\Windows\System32\calc.exe, when I click plus button to set filter everything is fine, I see all events when path field is specified.
  2. I have a field called path which contains the location of Google Chrome - c:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Program Files - space between Program and Files and backslashes) when I click plus button to set filter I do not see any events

To fix problem in Graylog 2.4.6 I have to add an extra backslash in query:

  • Does not work: path:"c:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  • Works: path:"c:\**\**Program Files (x86)\**\**Google**\**\Chrome**\**\Application**\**\chrome.exe"

Expected Behavior

When I click on plus button to filter path field which contains c:\Program Files (x86)\Google\Chrome\Application\chrome.exe (path contains space and backslashes) I should see only events when a path is equal to the specified location of the file

Current Behavior

I do not see any events. When I click plus button to the specified location of Google Chrome exe file (path contains space and backslashes)

Possible Solution

I have to add special backslash in filter, path:"c:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"

On Graylog 3.0.0-alpha.3 query filter is correct!

Steps to Reproduce (for bugs)

  1. Create extractor for syslog-udp
    1.1. Grok pattern Exec path: %{GREEDYDATA:path}
    1.2. source field: message

  2. Send few events to system

    echo "Exec path: c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" | nc -u 127.0.0.1 514
    echo "Exec path: C:\Windows\System32\calc.exe" | nc -u 127.0.0.1 514

  3. Use plus button to filter location of the chrome.exe file

  4. no events - should be at least one

Context

To send all Windows Events to Graylog server I use Graylog collector-sidecar (winlogbeat). I found a problem when I tried to filter all events contain the full path of Google Chrome

Your Environment

  • Graylog Version: 2.4.6
  • Elasticsearch Version: 5.6.11
@jalogisch jalogisch added this to the 2.5.0 milestone Nov 19, 2018
@bernd bernd assigned bernd and unassigned kmerz Nov 26, 2018
bernd added a commit that referenced this issue Nov 26, 2018
The add search term button (eg. in the Quick Values view)
is adding search terms to the search bar. A search term
with spaces will be treated as a phrase and therefor will
only surrounded by double quotes. But those phrases did
not escape backslashes which is still needed to perform
the search.

Now phrases will also get the backslashes escaped.

Also: Add some tests for adding a search term.

Fixes #4111
Fixes #5266

(cherry picked from commit bfc4a9f)
@bernd
Copy link
Member

@bernd bernd commented Nov 26, 2018

@krzotr Thank you for the report. This will be fixed in the upcoming 2.5 release.

edmundoa added a commit that referenced this issue Nov 26, 2018
The add search term button (eg. in the Quick Values view)
is adding search terms to the search bar. A search term
with spaces will be treated as a phrase and therefor will
only surrounded by double quotes. But those phrases did
not escape backslashes which is still needed to perform
the search.

Now phrases will also get the backslashes escaped.

Also: Add some tests for adding a search term.

Fixes #4111
Fixes #5266

(cherry picked from commit bfc4a9f)
@edmundoa edmundoa closed this Nov 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.