Ridgeline Skill

For SOC Analysts, IR Practitioners, and Security Engineers

Log Analysis with Regex

Focused skills. One thing, learned properly.

Learn the regular expression patterns that extract IPs, timestamps, usernames, URLs, and error codes from any log format. Grep, sed, awk, and PowerShell regex — the universal parser for every log source you will encounter.

Start Skill View Pricing

Content last updated: April 2026

Sections

Regex Fundamentals for Security — Character classes, quantifiers, anchors, groups, and alternation. The 10 patterns every analyst needs: IP addresses, email addresses, URLs, timestamps, hex strings, Base64, Windows paths, registry paths, UUIDs, and hashes. Testing with regex101.com.

grep Patterns for Log Hunting — grep, egrep, and grep -P (Perl regex). Recursive search, context lines, invert match, count, and file listing. 15 security-specific grep patterns: finding IPs in logs, extracting failed logins, hunting for Base64 blobs, filtering by time ranges.

sed and awk for Log Transformation — sed for search-and-replace, field extraction, and log normalisation. awk for column-based processing, aggregation, and report generation. Practical workflows: normalising timestamps across log sources, extracting fields from unstructured logs, and building frequency tables.

PowerShell Regex for Windows Logs — Select-String, -match, -replace, and [regex]::Matches(). Named capture groups. Parsing Windows Security events, PowerShell ScriptBlock logs, and Defender alerts. Building log parsing functions.

Parsing Real-World Log Formats — Complete parsing recipes for 6 log formats: Apache/Nginx access logs, Windows Security XML events, syslog (RFC 5424), Palo Alto firewall logs, AWS CloudTrail JSON, and Squid proxy logs. Each with a regex pattern, field extraction, and an IOC-hunting one-liner.

Guided Lab: Parse the INC-2026-0501 Log Bundle — You receive a bundle of mixed-format logs from the NE incident: Windows Security events (XML), Palo Alto firewall logs (CSV), proxy logs, and DNS query logs. Extract all IPs that communicated with the C2 server, build a timeline of authentication events, and produce a consolidated IOC list — all using regex.