grayloggraylog3

Use a regex to keep the access logs with HTTP response 4** and 5**


I'm using Graylog to manage my server logs.

I would like to filter the apache logs access to keep the logs with a http response code 4** and 5**

So I would like to use a regex:

If I search /HTTP/ I have the corresponding logs like:

[...] "HEAD /register HTTP/1.1" 301 460 "-" [...]

But if I search /HTTP\//, I have no message. I also tried with /HTTP\\// but same result.

I tried with the regex /HTTP(?:.*?)"\s[4|5](?:\d{2})/ but no message found.

How to search a simple pattern like HTTP/ with a regex in Graylog ?

Thx


Solution

  • Why don't you use an extractor to map http-status-codes to fields.

    Then you can easily filter and group your logs to find those with special codes.

    Please see the following links

    Extractors

    How to use a JSON extractor