Configure NGINX with Remote Logging Server

Configure NGINX w/Remote Logging Server

Logging is awesome, but depending on your deployment, not always practical. Challenges often come in the amount of data being recorded, and what that does to the size of files being stored. This is further complicated by compliance retention policies. The implication of these challenges materialize in the need for servers with more disk space, and increased storage costs. To help offset this, a lot of production deployments choose to offload their logging to central platforms.

NGINX is no different. They are unique in that they have a direct integration with syslog which allows administrators to push their logs directly from NGINX to their remote logging server of choice.

Configuring a Remote Logging Server

Building on our last article, Guide to NGINX Logs we go back to our NGINX configuration file to update our configuration directives. In this instance, we will make use of a new prefix, syslog: and include them with the error_log and access_log directives.

Using Trunc as an example, here is what the configuration file would look like if we were pushing both error and access logs to the Trunc logging platform:


						error_log syslog:server=[IP]:[PORT] debug;

						access_log syslog:server=[IP]:[PORT],facility=local7,tag=nginx,severity=info;

Before Trunc knows what logs to collect, you must tell it where it is coming from. You do this via the Trunc dashboard, via Settings.

Syslog Options in NGINX

Notice that each entry has a bit of a different configuration. Also, you have a couple of different options with the syslog prefix:

Parameter	Description
server=	can be a domain name, an IP address, or a UNIX-domain socket path
:	This can be used to specify a port after the domain name / IP. Overriding the default 514 port. This also assumes UDP.
unix:	A UNIX-domain socket path can be specified

The error log is a limited in passing the logging level, see more in our Guide to NGINX Logs. While the the access log offers a few other parameters that must be included to run:

Parameter	Description
facility=	specifies the type of program that is logging the message. The default value is local7. Other possible values are: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0 ... local7.
tag=	applies a custom tag to syslog messages (nginx in our example)
severity=	parameter sets the severity level of syslog messages for access log. Possible values in order of increasing severity are: debug, info, notice, warn, error (default), crit, alert, and emerg. Messages are logged at the specified level and all more severe levels. In our example, the severity level error also enables crit, alert, and emerg levels to be logged.

Posted in trunc nginx by trunc_team

Logging Guides

We love logs. In this section we will share some articles from our team to help you get better at logging.

Trunc Logging

Logging for fun and a good night of sleep.

* Real time search
* Google simple
* Cheap
* Just works
* PCI compliance

Latest articles

Latest articles from our learning center.

2023-01-25
5 Reasons to Monitor Web Server Logs

2023-01-25
Logging basics: What is syslog

2022-10-27
Log Managment and Security

2022-10-13
Vulnerability Scanner Logs: Zed Attack Proxy - ZAP

2022-10-13
Trunc - What Events to Log to your central logging server

2022-10-13
Detecting Web Attacks via 404 Errors in Your Logs

Contact us!

Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org

Tired of price gouging

Clear pricing. No need to guess. Real people. Real logging.