Linux nginx

Rule Function

NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. This rule adds user tags for a few user tags (see below).

Vendor Documentation

Incoming Log Format

The default Nginx log format is space-separated values. In order to use the current rule with Nginx the log format must be customized, as detailed in the Configuration section below.

When configured properly, the log format is space-separated key-value pairs. See the bottom for examples.

Configuration

Nginx must be configured both with the correct log format as well as the correct log destination. Verify that include /etc/nginx/conf.d/*.conf; is in the http { section of /etc/nginx/nginx.conf, and add it if it is not already there.

Then the following should be put in file /etc/nginx/conf.d/logging.conf.


# LogZilla Custom Log Format
# Requires Nginx >= v1.7.1

log_format logzilla 'Site="$server_name" Server="$host" DstPort="$server_port" '
               'DstIP="$server_addr" Src="$remote_addr" SrcIP="$realip_remote_addr" '
               'User="$remote_user" Time_Local="$time_local" Protocol="$server_protocol" '
               'Status="$status" Bytes_Out="$bytes_sent" '
               'Bytes_In="$upstream_bytes_received" HTTP_Referer="$http_referer" '
               'User_Agent="$http_user_agent" Nginx_Version="$nginx_version" '
               'HTTP_X_Forwarded_For="$http_x_forwarded_for" '
               'HTTP_X_Header="$http_x_header" URI_Query="$query_string" URI="$uri" '
               'HTTP_Method="$request_method" Response_Time="$upstream_response_time" '
               'Cookie="$http_cookie" Request_Time="$request_time" ';

  # Send logs to LogZilla Server
  access_log syslog:server=logzilla.abcd.com:514,tag=nginx_access logzilla;
  error_log syslog:server=logzilla.abcd.com:514,tag=nginx_error notice;

After this configuration change has been made Nginx must be restarted using service nginx restart and verify reception of logs.

User Tags

User tag names (for those fields applicable) are the same as the field names defined in the configuration above. Note that underscores (_) in the field names are converted to spaces ( ) in the user tag name.

Tagged	Field Name	Example	Description
☑	`Site`	`Site`	`logs.logzilla`
☑	`Server`	`Server`	`logs.logzilla`
	`DstPort`	`443`	the destination port for the request
☑	`DstIP`		`18.68.11.35`
	`Src`	`16.56.15.199`	the source of the request (appears to be same as `src_ip`)
☑	`SrcIP`	`16.56.15.199`	the source ip of the request
	`User`	`johnd`	the username (if available) making the request
	`Time_Local`	`03/Jan/2018:14:07:58 -0500`	the date & time of the request
	`Protocol`	`HTTP/1.1`	the transport protocol being used for the request
☑	`Status`	`200`	the http status code returned from the request
	`Bytes_Out`	`3995`	the number of bytes sent for the request
	`Bytes_In`	`-`	the number of bytes received for the request
	`HTTP_Referer`	`-`	the URI that referred the user here
☑	`User_Agent`	`Mozilla/5.0`	the user agent being used for the request
	`Nginx_Version`	`1.12.2`	nginx version number
	`HTTP_X_Forwarded_For`	`-`	the IP address of the originating ip
	`HTTP_X_Header`	`-`	unknown
	`URI_Query`	`-`	unknown
☑	`URI`	`/index.html`	URI of the request
	`HTTP_Method`	`GET`	HTTP operation being performed
	`Response_Time`	`-`	time taken for the response to be sent
	`Cookie`	`-`	any cookies provided by the client to this page
	`Request_Time`	`0.000`	time taken for request to be received

HC Tags


HC_TAGS={
     "SrcIP",
     "DstIP",
     "URI",
 }

Log Examples

Typical page GET request (200)


Site="localhost" Server="192.168.250.112” DstPort="80" DstIP="192.168.250.112" 
Src="192.168.250.2" SrcIP="192.168.250.2" User="-" 
Time_Local="17/Nov/2021:17:45:07 +0000" Protocol="HTTP/1.1" Status="304" 
Bytes_Out="189" Bytes_In="-" HTTP_Referer="-" User_Agent="Mozilla/5.0 (X11; 
Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" Nginx_Version="1.18.0" 
HTTP_X_Forwarded_For="-" HTTP_X_Header="-" URI_Query="-" URI="/main.html" 
HTTP_Method="GET" Response_Time="-" Cookie="-" Request_Time="0.000"

Page POST request (200)


Site="localhost" Server="192.168.250.112” DstPprt="80" DstIP="192.168.250.112" 
Src="192.168.250.2" SrcIP="192.168.250.2" User="-" 
Time_Local="17/Nov/2021:17:46:13 +0000" Protocol="HTTP/1.1" Status="200" 
Bytes_Out="331" Bytes_In="-" HTTP_Referer="http://192.168.250.112/poster.html" 
User_Agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 
Firefox/94.0" Nginx_Version="1.18.0" HTTP_X_Forwarded_For="-" HTTP_X_Header="-" 
URI_Query="" URI="/posted.html" HTTP_Method="GET" Response_Time="-" Cookie="-" 
Request_Time="0.000"

Page not found (404)


Site="localhost" Server="192.168.250.112” DstPort="80" DstIP="192.168.250.112" 
Src="192.168.250.2" SrcIP="192.168.250.2" User="-" 
Time_Local="17/Nov/2021:17:46:21 +0000" Protocol="HTTP/1.1" Status="404" 
Bytes_Out="326" Bytes_In="-" HTTP_Referer="-" User_Agent="Mozilla/5.0 (X11; 
Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" Nginx_Version="1.18.0" 
HTTP_X_Forwarded_For="-" HTTP_X_Header="-" URI_Query="-" URI="/nothere.html" 
HTTP_Method="GET" Response_Time="-" Cookie="-" Request_Time="0.000"