Nginx

NGINX Version

Requires NGINX v1.7.1+ (open source) or v1.5.3+ (commercial) for syslog logging.

Prerequisites

• Confirm syslog listener ports in LogZilla (see Syslog Settings).
• Ensure the NGINX host can reach LogZilla on the chosen syslog port.

Configure logging

1. Verify the include is present under the http { block in /etc/nginx/nginx.conf:

   nginx
   Wrap: OnCopyFullscreen
   include /etc/nginx/conf.d/*.conf;
   

2. Create /etc/nginx/conf.d/logging.conf with a key=value log format and syslog destinations. Replace LOGZILLA_HOST with the server hostname/IP.

   conf
   Wrap: OnCopyFullscreen
   # LogZilla custom log format (key=value pairs)
   log_format logzilla \
     'Site="$server_name" Server="$host" DstPort="$server_port" ' \
     'DstIP="$server_addr" Src="$remote_addr" SrcIP="$realip_remote_addr" ' \
     'User="$remote_user" Time_Local="$time_local" Protocol="$server_protocol" ' \
     'Status="$status" Bytes_Out="$bytes_sent" ' \
     'Bytes_In="$upstream_bytes_received" HTTP_Referrer="$http_referer" ' \
     'User_Agent="$http_user_agent" Nginx_Version="$nginx_version" ' \
     'HTTP_X_Forwarded_For="$http_x_forwarded_for" ' \
     'HTTP_X_Header="$http_x_header" URI_Query="$query_string" URI="$uri" ' \
     'HTTP_Method="$request_method" Response_Time="$upstream_response_time" ' \
     'Cookie="$http_cookie" Request_Time="$request_time" ';
   
   # Send logs to LogZilla (syslog over UDP)
   access_log syslog:server=LOGZILLA_HOST:514,facility=local0,severity=info,tag=nginx_access logzilla;
   error_log  syslog:server=LOGZILLA_HOST:514,facility=local0,severity=notice,tag=nginx_error notice;
   

NGINX writes in key=value pairs with the log_format above. LogZilla extracts these pairs automatically for tagging and rewrites (see Data Transformation). Alternatively, a JSON log_format can be used; LogZilla extracts fields from both key=value and JSON bodies.

Reload and verify

1. Test and reload NGINX:

   bash
   Wrap: OnCopyFullscreen
   sudo nginx -t
   sudo systemctl reload nginx
   

2. In LogZilla, search for the configured tags/programs to confirm reception:

   • program:"nginx_access" or program:"nginx_error"
   • Specific key=value fields (for example, Status:"200")

3. For packet‑level checks, use Syslog Troubleshooting. For encrypted or WAN paths, consider sending to a local relay and forwarding securely to LogZilla. See Syslog Relays.

Next, the nginx LogZilla rule must be installed. This rule is available from the LogZilla appstore. The rule is installed by going to Settings -> App store in the LogZilla UI.

Add the Nginx app to enable the rule.

Your LogZilla server should now have entries similar to the following:

text
Wrap: OnCopyFullscreen
Site="localhost" Server="192.168.250.112” DstPort="80" DstIP="192.168.250.112" 
Src="192.168.250.2" SrcIP="192.168.250.2" User="-" 
Time_Local="17/Nov/2021:17:45:07 +0000" Protocol="HTTP/1.1" Status="304" 
Bytes_Out="189" Bytes_In="-" HTTP_Referrer="-" User_Agent="Mozilla/5.0 (X11; 
Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" Nginx_Version="1.18.0" 
HTTP_X_Forwarded_For="-" HTTP_X_Header="-" URI_Query="-" URI="/main.html" 
HTTP_Method="GET" Response_Time="-" Cookie="-" Request_Time="0.000" 

If logs are not being sent or received, check the nginx log. For LogZilla-side troubleshooting steps, see Syslog Troubleshooting.

NGINX Dashboard Widgets

Widgets will now contain tags similar to: