Detection of exploitation is extremely difficult because the exploit string is easily obfuscated.

Better results are probably to be had from the detection of secondary effects such as outbound connections initiated from internet facing services.

https://github.com/Neo23x0/log4shell-detector

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Canarytokens allows for the generation of a token to test for the vulnerability. At the bottom of the dropdown is Log4Shell.

https://canarytokens.org/generate

Splunk have put out a blog post with searches that may be helpful

https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html

NCC's guide

https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/

Google Chronicle's guide

https://chroniclesec.medium.com/detecting-and-responding-to-apache-log4j-2-cve-2021-44228-using-google-chronicle-ec77d676eaea