Case sensitivity in generated LogQL queries

Question

Case sensitivity in generated LogQL queries

romain-gaillard opened this issue 2 years ago · 2 comments

It looks like a LogQL query generated from a Sigma rule will be case sensitive when looking for keywords.

This is problematic for instance with the web_apache_segfault.yml rule as it looks for the pattern exit signal Segmentation Fault whereas apache actually logs exit signal Segmentation fault (no capital f), therefore not finding any results.

The Sigma specification advises the following:

- All values are treated as case-insensitive strings

and

- Regular expressions are case sensitive by default

Therefore, it seems that in this case, the LogQL query generated from the rule should be case insensitive.

Answer 1 · 2023-04-26T10:01:19.000Z

Gah, I now remember the headaches around the differences in case-sensitivity between Sigma and Loki! Fixing this is currently blocked by grafana/loki#9294.

Answer 2 · 2023-05-05T09:53:30.000Z

Pull request (grafana/loki#9404) to fix the Loki case sensitivity problem is now in for review.