Linux nginx
Rule Function
NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. This rule adds user tags for a few user tags (see below).
Vendor Documentation
- Configuring Logging
- Module ngx_http_log_module
- Logging to syslog
- Nginx - Everything you want to know about the Nginx logs in 10 minutes
Incoming Log Format
The default Nginx log format is space-separated values. In order to use the current rule with Nginx the log format must be customized, as detailed in the Configuration section below.
When configured properly, the log format is space-separated key-value pairs. See the bottom for examples.
Configuration
Nginx must be configured both with the correct log format as well as the correct log destination. Verify that include /etc/nginx/conf.d/*.conf; is in the http { section of /etc/nginx/nginx.conf, and add it if it is not already there.
Then the following should be put in file /etc/nginx/conf.d/logging.conf.
# LogZilla Custom Log Format
# Requires Nginx >= v1.7.1
log_format logzilla 'Site="$server_name" Server="$host" DstPort="$server_port" '
'DstIP="$server_addr" Src="$remote_addr" SrcIP="$realip_remote_addr" '
'User="$remote_user" Time_Local="$time_local" Protocol="$server_protocol" '
'Status="$status" Bytes_Out="$bytes_sent" '
'Bytes_In="$upstream_bytes_received" HTTP_Referer="$http_referer" '
'User_Agent="$http_user_agent" Nginx_Version="$nginx_version" '
'HTTP_X_Forwarded_For="$http_x_forwarded_for" '
'HTTP_X_Header="$http_x_header" URI_Query="$query_string" URI="$uri" '
'HTTP_Method="$request_method" Response_Time="$upstream_response_time" '
'Cookie="$http_cookie" Request_Time="$request_time" ';
# Send logs to LogZilla Server
access_log syslog:server=logzilla.abcd.com:514,tag=nginx_access logzilla;
error_log syslog:server=logzilla.abcd.com:514,tag=nginx_error notice;
After this configuration change has been made Nginx must be restarted using service nginx restart and verify reception of logs.
User Tags
User tag names (for those fields applicable) are the same as the field names defined in the configuration above. Note that underscores (_) in the field names are converted to spaces () in the user tag name.
| Tagged | Field Name | Example | Description |
|---|---|---|---|
| ☑ | Site |
Site |
logs.logzilla |
| ☑ | Server |
Server |
logs.logzilla |
DstPort |
443 |
the destination port for the request | |
| ☑ | DstIP |
18.68.11.35 |
|
Src |
16.56.15.199 |
the source of the request (appears to be same as src_ip) |
|
| ☑ | SrcIP |
16.56.15.199 |
the source ip of the request |
User |
johnd |
the username (if available) making the request | |
Time_Local |
03/Jan/2018:14:07:58 -0500 |
the date & time of the request | |
Protocol |
HTTP/1.1 |
the transport protocol being used for the request | |
| ☑ | Status |
200 |
the http status code returned from the request |
Bytes_Out |
3995 |
the number of bytes sent for the request | |
Bytes_In |
- |
the number of bytes received for the request | |
HTTP_Referer |
- |
the URI that referred the user here | |
| ☑ | User_Agent |
Mozilla/5.0 |
the user agent being used for the request |
Nginx_Version |
1.12.2 |
nginx version number | |
HTTP_X_Forwarded_For |
- |
the IP address of the originating ip | |
HTTP_X_Header |
- |
unknown | |
URI_Query |
- |
unknown | |
| ☑ | URI |
/index.html |
URI of the request |
HTTP_Method |
GET |
HTTP operation being performed | |
Response_Time |
- |
time taken for the response to be sent | |
Cookie |
- |
any cookies provided by the client to this page | |
Request_Time |
0.000 |
time taken for request to be received |
HC Tags
Log Examples
Typical page GET request (200)
Site="localhost" Server="192.168.250.112” DstPort="80" DstIP="192.168.250.112"
Src="192.168.250.2" SrcIP="192.168.250.2" User="-"
Time_Local="17/Nov/2021:17:45:07 +0000" Protocol="HTTP/1.1" Status="304"
Bytes_Out="189" Bytes_In="-" HTTP_Referer="-" User_Agent="Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" Nginx_Version="1.18.0"
HTTP_X_Forwarded_For="-" HTTP_X_Header="-" URI_Query="-" URI="/main.html"
HTTP_Method="GET" Response_Time="-" Cookie="-" Request_Time="0.000"
Page POST request (200)
Site="localhost" Server="192.168.250.112” DstPprt="80" DstIP="192.168.250.112"
Src="192.168.250.2" SrcIP="192.168.250.2" User="-"
Time_Local="17/Nov/2021:17:46:13 +0000" Protocol="HTTP/1.1" Status="200"
Bytes_Out="331" Bytes_In="-" HTTP_Referer="http://192.168.250.112/poster.html"
User_Agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101
Firefox/94.0" Nginx_Version="1.18.0" HTTP_X_Forwarded_For="-" HTTP_X_Header="-"
URI_Query="" URI="/posted.html" HTTP_Method="GET" Response_Time="-" Cookie="-"
Request_Time="0.000"
Page not found (404)
Site="localhost" Server="192.168.250.112” DstPort="80" DstIP="192.168.250.112"
Src="192.168.250.2" SrcIP="192.168.250.2" User="-"
Time_Local="17/Nov/2021:17:46:21 +0000" Protocol="HTTP/1.1" Status="404"
Bytes_Out="326" Bytes_In="-" HTTP_Referer="-" User_Agent="Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" Nginx_Version="1.18.0"
HTTP_X_Forwarded_For="-" HTTP_X_Header="-" URI_Query="-" URI="/nothere.html"
HTTP_Method="GET" Response_Time="-" Cookie="-" Request_Time="0.000"