Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Case sensitivity in generated LogQL queries #50

Closed
romain-gaillard opened this issue Apr 26, 2023 · 2 comments · Fixed by #53
Closed

Case sensitivity in generated LogQL queries #50

romain-gaillard opened this issue Apr 26, 2023 · 2 comments · Fixed by #53
Assignees
@kelnage
Labels
querying

Comments

@romain-gaillard
Copy link
Contributor

romain-gaillard commented Apr 26, 2023
edited

It looks like a LogQL query generated from a Sigma rule will be case sensitive when looking for keywords.

This is problematic for instance with the web_apache_segfault.yml rule as it looks for the pattern exit signal Segmentation Fault whereas apache actually logs exit signal Segmentation fault (no capital f), therefore not finding any results.

The Sigma specification advises the following:

- All values are treated as case-insensitive strings

and

- Regular expressions are case sensitive by default

Therefore, it seems that in this case, the LogQL query generated from the rule should be case insensitive.
@kelnage
Copy link
Collaborator

kelnage commented Apr 26, 2023
edited

Gah, I now remember the headaches around the differences in case-sensitivity between Sigma and Loki! Fixing this is currently blocked by grafana/loki#9294.

@kelnage kelnage self-assigned this Apr 26, 2023
@kelnage kelnage mentioned this issue May 4, 2023
Merged
@kelnage kelnage linked a pull request May 4, 2023 that will close this issue
Change generated LogQL queries to be case insensitive by default #53
Merged
@kelnage
Copy link
Collaborator

kelnage commented May 5, 2023

Pull request (grafana/loki#9404) to fix the Loki case sensitivity problem is now in for review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kelnage kelnage

Labels
querying
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Change generated LogQL queries to be case insensitive by default grafana/pySigma-backend-loki
2 participants
@kelnage @romain-gaillard