Need regex for sample nginx log to configure extractor

New to Graylog Community? READ-ME FIRST Guides
1

Dear all,

Some please help with complete regex for below sample log.

1xx.2xx.3x.4xx - - [1/Apr/2022:05:54:15 -0700 - 0.014] 200 “GET /application/subfield/private_session.aspx?m=xxxxx.xxxxxd0428f6695dc8x HTTP/2.0” 2 “https://example.com/subpage/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36” “-”

I can extract only url part using "(?:POST|GET|DELETE|PUT|HEAD|OPTIONS|CONNECT)\s(.*?)\sHTTP/\d.\d " .

Can someone please help with complete regex for above nginx log? Idea is to extract srcip, user, timestamp, application name, useragent, etc.

Thank you.

2

:thinking:

You may have more luck putting together a GROK pattern for that. I started on out here, shouldn’t be too hard to finish off…

:stuck_out_tongue_winking_eye:

1 Like
3

Hey @13rn3r

Can i ask what type of input your using and how your sending these logs?
I assume you want the whole message from nginx broke down into fields?