Regex, logstash and passwords

So I'm looking for a way to detect when someone enters their password and then subst out the password for hashes. The is an example, it could be any ip address.

From this I want to detect if there is a password there

net use I: \\E$ /user:domain\username password /persistent:yes

Look behind, almost seems to have it but I can't get it to stop after the space after username...


net use I: \\E$ /user:domain\username password /persistent:yes

when I need it to get -

net use I: \\E$ /user:domain\username password /persistent:yes

... it would be something like this to gsub the password out and replace with ###

filter {
if [event_id] == 4688 {
mutate {
gsub => ["[event_data][CommandLine]", "(?<=/user:)(.*)(?<=\s)",
"########" ]

...I think I can get the gsub to work but for the life of me I can't get that regex to work.


Perhaps (?:\/user:\w+\s)(\S+)(?:\s)

Hey @guyboertje,

Man closer but that seems to hit the userame as well - I mean I could use that... but I really want to get that regex to just grab the password...
/user:domainusername password
wanted to see if it could grab just the password no /user:domainusername

I know I'm stubborn :slight_smile:

Ahh. Now, this works in Ruby 2.4.0 (?:\/user:\w+\s)\K(\S+)(?=\s) :slight_smile: but it does not in JRuby :frowning:

It does work with JRuby :slight_smile: but LS is will not ship with that version for a while because other bugs :frowning:

I can't think of a way to do what you want differently.

I appreciate the effort @guyboertje!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.