Searching the Forum Sentry Access Log with Regular Expressions

Introduction

The Access Log in Forum Sentry is very useful for finding transactions quickly and then jumping to the details for that transaction in the System log (by clicking the Session ID link).

The Access log can be searched to find specific transactions. The browser "find" tools (F3 or ctrl-F) are also often used to find transactions by string match.

However, with certain use cases - for example web portal / browser based flows - there may be many transactions for a particular scenario that may not be important when testing or troubleshooting a specific configuration or issue. Yet these log entries fill the screen in the WebAdmin and make it difficult to quickly find the important transactions.

Take for example the loading of a web page through Sentry. There will usually be many transactions for things like JavaScript files, CSS files, and image files. 

In figure 1 below you can see there are 5 transactions when a simple login form page is requested through Sentry and 4 of these are .css files that the browser pulls to render the login.html page.

Figure 1. Access log showing 5 transactions for the loading of a single html page

mceclip0.png

 

This article discusses how to use regex with the search field to hide certain Access log entries.

 

The Access Log

Access logs capture a minimal amount of data for each transaction being processed. The data captured (columns in the log) from left to right are:

  • Time (date and timestamp)
  • Session ID
  • Client IP
  • TYPE (HTTP Method)
  • HTTP Code
  • URI
  • Length (size of the document)
  • Start Time
  • End Time
  • Total Time (ms)

They hyperlinked Session ID links to the same Session ID for this transaction in the System log.

 

Searching with Regex to Filter the Transactions Displayed

The Search field accepts normal string values as well as regex - whether you want to find or hide certain transactions.

Figure 2 below shows an Access log after a single login to a web portal.  There are a total of 23 transactions, most are CSS, JS, and image transactions. None of these are important for troubleshooting the authentication and other important transactions in Sentry.

Figure 2: An unfiltered Access log showing an MFA login via Sentry and the subsequent rendering of a landing page - 23 items total

mceclip1.png

Adding the regex sample included below in the Search field will hide all Access log entries that contain the values:

  • js
  • css
  • jpg
  • woff
  • img

^((?!(js|css|jpg|woff|img)).)*$

As you can see in Figure 3 below, this regex filters out 18 of the 23 Access log entries, leaving just the 6 important transactions for this use case.

Figure 3. Access log filtered via regex - 6 items total

mceclip3.png

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.