--- title: Parsing NGINX log in Splunk excerpt: Configure regex in field extractor to create relevant fields date: 2021-12-25 tags: - splunk - nginx --- For web server's access log, Splunk has built-in support for Apache only. Splunk has a feature called field extractor. It is powered by delimiter and regex, and enables user to add new [_fields_](https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Aboutfields) to be used in a search query. This post will only covers the regex patterns to parse nginx log, for instruction on field extractor, I recommend perusing the [official documentation](https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/ExtractfieldsinteractivelywithIFX). To illustrate, say we have a log format like this: ``` {id} "{http.request.host}" "{http.request.header.user-agent}" ``` An example log is: ``` 123 "example.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0" ``` While you could search for a specific keyword, e.g. attempts of {% post_link log4shell-log4j-unbound-dns 'Log4shell exploit' %}, since there are no fields, you cannot run any statistics like [`table`](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table) or [`stats`](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/stats) on the search results. Splunk is able to understand Apache log format because its field extractor already includes the necessary regex patterns to parse the relevant fields of each line in a log. Choosing a source type is equivalent of choosing a log format. If a format is not listed in [the default list](https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/Listofpretrainedsourcetypes), we can either use an add-on or create new fields using field extractor. There is a Splunk [add-on](https://docs.splunk.com/Documentation/AddOns/latest/NGINX) for nginx and I suggest to try it before resorting to field extractor. I create five patterns which cover most of the nginx events I encountered during my work. Refer to the documentation for [supported syntax](https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/AboutSplunkregularexpressions). A field is extracted through "capturing group". ``` (?capture pattern) ``` For example, `(?\w+)` searches for one or more (`+`) alphanumeric characters (`\w`) and names the field as `month`. I opted for lazier matching, mostly using unbounded quantifier `+` instead of a stricter range of occurrences `{M,N}` despite knowing the exact pattern of a field. I found some fields may stray off slightly from the expected pattern, so a lazier matching tends match more events without matching unwanted's. ## Web request ### Regex ``` (?\w+)\s+(?\d+)\s(?[\d\:]+)\s(?[\d\.]+)(?:\snginx\:\s)(?[\d\.]+)(?:\s\d+\s\S+\s\S+\s)\[(?\S+)\s(?\+\d{4})\]\s"(?\w+)\s(?.+)\s(?HTTP/\d\.\d)"\s(?\d{3})\s(?:\d+)\s"(?.[^"]*)"\s"(?.[^"]*)"\s(?[\d\.]+)\:(?\d+)(?:\s\d+\s\d+\s)(?\S+)\s(?\S+)\s(?\S+) ``` ### Event ``` Dec 24 01:23:45 192.168.0.2 nginx: 1.2.3.4 55763 - - [24/Dec/2021:01:23:45 +0000] "GET /page.html HTTP/2.0" 200 494 "https://www.example.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0" 192.168.1.2:8080 123 4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 abcdef . ``` ### Fields Field | Value | Regex | Explanation --- | --- | --- | --- month | Dec | `(?\w+)` | One or more alphanumeric day | 24 | `(?\d+)` | One or more digit time | 01:23:45 | `(?[\d\:]+)` | One or more digit or semicolon proxy_ip | 192.168.0.2 | `(?[\d\.]+)` | One or more digit or dot remote_ip | 1.2.3.4 | `(?[\d\.]+)` | time_local | 24/Dec/2021:01:23:45 | `(?\S+)` | One or more non-whitespace characters timezone | +0000 | `(?[\+\-]\d{4})` | Four digits with plus or minus prefix http_method | GET | `(?\w+)` | http_path | /page.html | `(?.+)` | One or more of any character http_version | HTTP/2.0 | `(?HTTP/\d\.\d)` | "HTTP", a digit, dot and digit http_status | 200 | `(?\d{3})` | Three digits request_url | https://www.example.com | `(?.[^"]*)` | Zero or more of any character except double quote http_user_agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 | `(?.[^"]*)` | server_ip | 192.168.1.2 | `(?[\d\.]+)` | server_port | 8080 | `(?\d+)` | ssl_version | TLSv1.2 | `(?\S+)` | ssl_cipher | ECDHE-RSA-AES128-GCM-SHA256 | `(?\S+)` | http_cookie | abcdef | `(?\S+)` | nginx is configured as a reverse proxy, `proxy_ip` is its ip whereas `server_ip` is the upstream's. ## Proxy request ### Regex ``` (?\w+)\s+(?\d+)\s(?[\d\:]+)\s(?[\d\.]+)(?:\snginx\:\s)(?\d{4})\/(?\d{2})(?:\/\d{2}\s[\d\:]+\s)\[(?\w+)\](?:\s\d+#\d+\:\s\*\d+\sclient\s)(?[\d\.]+)\:(?\d+)(?:\sconnected\sto\s)(?[\d\.]+)\:(?\d+) ``` ### Event ``` Dec 24 01:23:45 192.168.0.2 nginx: 2021/12/24 01:23:45 [info] 1776#1776:*114333142 client 1.2.3.4:19802 connected to 192.168.1.2:8080 ``` ### Fields Field | Value | Regex | Explanation --- | --- | --- | --- month | Dec | `(?\w+)` | day | 24 | `(?\d+)` | time | 01:23:45 | `(?[\d\:]+)` | proxy_ip | 192.168.0.2 | `(?[\d\.]+)` | year | 2021 | `(?\d{4})` | nmonth | 12 | `(?\d{2})` | log_level | info | `(?\w+)` | remote_ip | 1.2.3.4 | `(?[\d\.]+)` | remote_port | 19802 | `(?\d+)` | server_ip | 192.168.1.2 | `(?[\d\.]+)` | server_port | 8080 | `(?\d+)` | ## Upstream error response ### Regex ``` (?\w+)\s+(?\d+)\s(?[\d\:]+)\s(?[\d\.]+)(?:\snginx\:\s)(?\d{4})\/(?\d{2})(?:\/\d{2}\s[\d\:]+\s)\[(?\w+)\](?:\s\d+#\d+\:\s\*\d+\s)(?.[^,]*)(?:,\sclient\:\s)(?[\d\.]+)(?:,\sserver\:\s)(?.[^,]*)(?:,\srequest\:\s")(?\w+)\s(?\S+)\s(?HTTP/\d\.\d)(?:",\supstream\:\s")(?.[^"]*)",\shost\:\s"(?.[^"]*) ``` ### Event ``` Dec 24 01:23:45 192.168.0.2 nginx: 2021/12/24 01:23:45 [error] 1776#1776:*71197740 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 1.2.3.4, server: example.com, request: "POST /api/path HTTP/2.0",upstream: "http://192.168.1.2:8080/api/path", host:"example.com" ``` ### Fields Field | Value | Regex | Explanation --- | --- | --- | --- month | Dec | `(?\w+)` | day | 24 | `(?\d+)` | time | 01:23:45 | `(?[\d\:]+)` | proxy_ip | 192.168.0.2 | `(?[\d\.]+)` | year | 2021 | `(?\d{4})` | nmonth | 12 | `(?\d{2})` | log_level | error | `(?\w+)` | upstream_error | upstream timed out (110: Connection timed out) while reading response header from upstream | `(?.[^,]*)` | Zero or more of any character except comma remote_ip | 1.2.3.4 | `(?[\d\.]+)` | server_host | example.com | `(?.[^,]*)` | http_method | POST | `(?\w+)` | http_path | /api/path | `(?\S+)` | http_version | HTTP/2.0 | `(?HTTP/\d\.\d)` | upstream_url | http://192.168.1.2:8080/api/path | `(?.[^"]*)` | upstream_host | example.com | `(?.[^"]*)` | ## Upstream epoll error ### Regex ``` (?\w+)\s+(?\d+)\s(?[\d\:]+)\s(?[\d\.]+)(?:\snginx\:\s)(?\d{4})\/(?\d{2})(?:\/\d{2}\s[\d\:]+\s)\[(?\w+)\](?:\s\d+#\d+\:\s\*\d+\s)(?[^,]*,[^,]*)(?:,\sclient\:\s)(?[\d\.]+)(?:,\sserver\:\s)(?.[^,]*)(?:,\srequest\:\s")(?\w+)\s(?\S+)\s(?HTTP/\d\.\d)(?:",\supstream\:\s")(?.[^"]*)(?:",\shost\:\s")(?.[^"]*) ``` ### Event ``` Dec 24 01:23:45 192.168.0.2 nginx: 2021/12/24 01:23:45 [info] 13199#13199: *81574833 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while connecting to upstream, client: 1.2.3.4, server: example.com, request: "GET /page.html HTTP/1.1", upstream:"http://192.168.1.2/page.html", host: "example.com" ``` ### Fields Field | Value | Regex | Explanation --- | --- | --- | --- month | Dec | `(?\w+)` | day | 24 | `(?\d+)` | time | 01:23:45 | `(?[\d\:]+)` | proxy_ip | 192.168.0.2 | `(?[\d\.]+)` | year | 2021 | `(?\d{4})` | nmonth | 12 | `(?\d{2})` | log_level | info | `(?\w+)` | upstream_error | epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while connecting to upstream | `(?.[^,]*)` | remote_ip | 1.2.3.4 | `(?[\d\.]+)` | server_host | example.com | `(?.[^,]*)` | http_method | GET | `(?\w+)` | http_path | /page.html | `(?\S+)` | http_version | HTTP/1.1 | `(?HTTP/\d\.\d)` | upstream_url | http://192.168.1.2/page.html | `(?.[^"]*)` | upstream_host | example.com | `(?.[^"]*)` | ## Upstream epoll error with referrer ### Regex ``` (?\w+)\s+(?\d+)\s(?[\d\:]+)\s(?[\d\.]+)(?:\snginx\:\s)(?\d{4})\/(?\d{2})(?:\/\d{2}\s[\d\:]+\s)\[(?\w+)\](?:\s\d+#\d+\:\s\*\d+\s)(?[^,]*,[^,]*)(?:,\sclient\:\s)(?[\d\.]+)(?:,\sserver\:\s)(?.[^,]*)(?:,\srequest\:\s")(?\w+)\s(?\S+)\s(?HTTP/\d\.\d)(?:",\supstream\:\s")(?.[^"]*)(?:",\shost\:\s")(?.[^"]*)(?:",\sreferrer\:\s")(?.[^"]*) ``` ### Event ``` Dec 24 01:23:45 192.168.0.2 nginx: 2021/12/24 01:23:45 [info] 1776#1776:*71220252 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream, client: 1.2.3.4, server: example.com, request: "GET /page.html HTTP/1.1", upstream: "http://192.168.1.2:8080/page.html", host: "example.com", referrer: "https://example.com" ``` ### Fields Field | Value | Regex | Explanation --- | --- | --- | --- month | Dec | `(?\w+)` | day | 24 | `(?\d+)` | time | 01:23:45 | `(?[\d\:]+)` | proxy_ip | 192.168.0.2 | `(?[\d\.]+)` | year | 2021 | `(?\d{4})` | nmonth | 12 | `(?\d{2})` | log_level | info | `(?\w+)` | upstream_error | epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream | `(?.[^,]*)` | remote_ip | 1.2.3.4 | `(?[\d\.]+)` | server_host | example.com | `(?.[^,]*)` | http_method | GET | `(?\w+)` | http_path | /page.html | `(?\S+)` | http_version | HTTP/1.1 | `(?HTTP/\d\.\d)` | upstream_url | http://192.168.1.2:8080/page.html | `(?.[^"]*)` | upstream_host | example.com | `(?.[^"]*)` | referrer | https://example.com | `(?.[^"]*)` |