Log Analysis with Regex

Extract what matters from any log, in any format.

Write regular expression patterns that extract IPs, timestamps, usernames, URLs, and error codes from any log format. Grep, sed, awk, and PowerShell regex, the universal parser for every log source you will encounter.

Short Course | Premium tier | 3 hours at your own pace | Updated May 2026

Sections

RX0.1
Regex Fundamentals for SecurityCharacter classes, quantifiers, anchors, groups, and alternation. The 10 patterns every analyst needs: IP addresses, email addresses, URLs, timestamps, hex strings, Base64, Windows paths, registry paths, UUIDs, and hashes. Testing with regex101.com.
RX0.2
grep Patterns for Log Huntinggrep, egrep, and grep -P (Perl regex). Recursive search, context lines, invert match, count, and file listing. 15 security-specific grep patterns: finding IPs in logs, extracting failed logins, hunting for Base64 blobs, filtering by time ranges.
RX0.3
sed and awk for Log Transformationsed for search-and-replace, field extraction, and log normalization. awk for column-based processing, aggregation, and report generation. Practical workflows: normalizing timestamps across log sources, extracting fields from unstructured logs, and building frequency tables.
RX0.4
PowerShell Regex for Windows LogsSelect-String, -match, -replace, and [regex]::Matches(). Named capture groups. Parsing Windows Security events, PowerShell ScriptBlock logs, and Defender alerts. Building log parsing functions.
RX0.5
Parsing Real-World Log FormatsComplete parsing recipes for 6 log formats: Apache/Nginx access logs, Windows Security XML events, syslog (RFC 5424), Palo Alto firewall logs, AWS CloudTrail JSON, and Squid proxy logs. Each with a regex pattern, field extraction, and an IOC-hunting one-liner.
Lab
Guided Lab: Parse the INC-2026-0501 Log BundleYou receive a bundle of mixed-format logs from the NE incident: Windows Security events (XML), Palo Alto firewall logs (CSV), proxy logs, and DNS query logs. Extract all IPs that communicated with the C2 server, build a timeline of authentication events, and produce a consolidated IOC list, all using regex.