Configure NGINX w/Remote Logging Server

Logging is awesome, but depending on your deployment, not always practical. Challenges often come in the amount of data being recorded, and what that does to the size of files being stored. This is further complicated by compliance retention policies. The implication of these challenges materialize in the need for servers with more disk space, and increased storage costs. To help offset this, a lot of production deployments choose to offload their logging to central platforms.

NGINX is no different. They are unique in that they have a direct integration with syslog which allows administrators to push their logs directly from NGINX to their remote logging server of choice.

Configuring a Remote Logging Server

Building on our last article, Guide to NGINX Logs we go back to our NGINX configuration file to update our configuration directives. In this instance, we will make use of a new prefix, syslog: and include them with the error_log and access_log directives.

Using Trunc as an example, here is what the configuration file would look like if we were pushing both error and access logs to the Trunc logging platform:

error_log syslog:server=[IP]:[PORT] debug;
access_log syslog:server=[IP]:[PORT],facility=local7,tag=nginx,severity=info;

Before Trunc knows what logs to collect, you must tell it where it is coming from. You do this via the Trunc dashboard, via Settings.

Trunc SysLog Configuration

Syslog Options in NGINX

Notice that each entry has a bit of a different configuration. Also, you have a couple of different options with the syslog prefix:

Parameter Description
server= can be a domain name, an IP address, or a UNIX-domain socket path
: This can be used to specify a port after the domain name / IP. Overriding the default 514 port. This also assumes UDP.
unix: A UNIX-domain socket path can be specified

The error log is a limited in passing the logging level, see more in our Guide to NGINX Logs. While the the access log offers a few other parameters that must be included to run:

Parameter Description
facility= specifies the type of program that is logging the message. The default value is local7. Other possible values are: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0 ... local7.
tag= applies a custom tag to syslog messages (nginx in our example)
severity= parameter sets the severity level of syslog messages for access log. Possible values in order of increasing severity are: debug, info, notice, warn, error (default), crit, alert, and emerg. Messages are logged at the specified level and all more severe levels. In our example, the severity level error also enables crit, alert, and emerg levels to be logged.

Posted in   trunc   nginx     by trunc_team

Simple, affordable, log management and analysis.