You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like a LogQL query generated from a Sigma rule will be case sensitive when looking for keywords.
This is problematic for instance with the web_apache_segfault.yml rule as it looks for the pattern exit signal Segmentation Fault whereas apache actually logs exit signal Segmentation fault (no capital f), therefore not finding any results.
Gah, I now remember the headaches around the differences in case-sensitivity between Sigma and Loki! Fixing this is currently blocked by grafana/loki#9294.
It looks like a LogQL query generated from a Sigma rule will be case sensitive when looking for keywords.
This is problematic for instance with the web_apache_segfault.yml rule as it looks for the pattern
exit signal Segmentation Fault
whereas apache actually logsexit signal Segmentation fault
(no capital f), therefore not finding any results.The Sigma specification advises the following:
and
Therefore, it seems that in this case, the LogQL query generated from the rule should be case insensitive.
The text was updated successfully, but these errors were encountered: