You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
| ##### COURTESY | |
| # @CuratedIntel | |
| # https://curatedintel.org | |
| ##### BACKGROUND | |
| # Initally shared on RAMP ransomware forum | |
| # Last shared on Groove ransomware extortion website | |
| # Publicized by Bleeping Computer, which led to this post being issued to help blue teamers | |
| # https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/ |