need help for fixing log regex on promtail

i was following the tutorials on https://sbcode.net/grafana/nginx-promtail/ but i have a little problem which in this part not working on my server https://prnt.sc/1x8vi6q

i think, it because the log format on my server is like this:

10.10.1.110 - - [22/Oct/2021:15:59:27 +0700] TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /files/image/Icon%20Kronika%20Juni%202021(1).jpg HTTP/1.0" 200 65274

10.10.1.110 - - [22/Oct/2021:15:59:27 +0700] TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /files/image/Icon%20Kronika%20Juli-Agustus(1).jpg HTTP/1.0" 200 71093

and i dont know how to fix that regex, so if you can fix it, please help me

1 answer

  • answered 2021-10-24 19:04 Alper

    It looks like your nginx is logging requests different than how you want to parse.

    Logs contain ssl_protocol (e.g TLSv1.3) and ssl_ciphers (e.g TLS_AES_256_GCM_SHA384) and they omit http_referer and http_user_agent

    This regex seem to work (https://regex101.com/r/bn0l9c/1)

    ^(?P<remote_addr>[\w\.]+) - (?P<remote_user>[^ ]*) \[(?P<time_local>.*)\] (?P<ssl_protocol>[\w\.]+) (?P<ssl_ciphers>[\w\._]+) "(?P<method>[^ ]*) (?P<request>[^ ]*) (?P<protocol>[^ ]*)" (?P<status>[\d]+) (?P<body_bytes_sent>[\d]+)
    

    You can also try to change the format of your nginx logs if you want to add omitted fields as well (or remove the extra ones)

    By the way, the example you've shared have commented out bunch of parsed field (it only allows method and status). You should uncomment the others if you want to be able to use them

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum