Log Analysis with Regex
Extract what matters from any log, in any format.
Write regular expression patterns that extract IPs, timestamps, usernames, URLs, and error codes from any log format. Grep, sed, awk, and PowerShell regex, the universal parser for every log source you will encounter.
Short Course
|
Premium tier
|
3 hours at your own pace
|
Updated May 2026
Sections
RX0.1Regex Fundamentals for SecurityCharacter classes, quantifiers, anchors, groups, and alternation. The 10 patterns every analyst needs: IP addresses, email addresses, URLs, timestamps, hex strings, Base64, Windows paths, registry paths, UUIDs, and hashes. Testing with regex101.com.
RX0.2grep Patterns for Log Huntinggrep, egrep, and grep -P (Perl regex). Recursive search, context lines, invert match, count, and file listing. 15 security-specific grep patterns: finding IPs in logs, extracting failed logins, hunting for Base64 blobs, filtering by time ranges.
RX0.3sed and awk for Log Transformationsed for search-and-replace, field extraction, and log normalization. awk for column-based processing, aggregation, and report generation. Practical workflows: normalizing timestamps across log sources, extracting fields from unstructured logs, and building frequency tables.
RX0.4PowerShell Regex for Windows Logs
RX0.5Select-String, -match, -replace, and [regex]::Matches(). Named capture groups. Parsing Windows Security events, PowerShell ScriptBlock logs, and Defender alerts. Building log parsing functions.Parsing Real-World Log FormatsComplete parsing recipes for 6 log formats: Apache/Nginx access logs, Windows Security XML events, syslog (RFC 5424), Palo Alto firewall logs, AWS CloudTrail JSON, and Squid proxy logs. Each with a regex pattern, field extraction, and an IOC-hunting one-liner.
LabGuided Lab: Parse the INC-2026-0501 Log BundleYou receive a bundle of mixed-format logs from the NE incident: Windows Security events (XML), Palo Alto firewall logs (CSV), proxy logs, and DNS query logs. Extract all IPs that communicated with the C2 server, build a timeline of authentication events, and produce a consolidated IOC list, all using regex.