Nginx sending json formatted logs over syslog

I’ve playing with Nginx since its what I’ll be using going forward. One big advantage the newer version of Nginx has over Apache is that it can natively send logs to somewhere else using the syslog protocol. Here is how to do this, I also format the log in JSON for easier parsing by LogStash.

This goes into the http{} directive:

First, lets create a JSON log format:

log_format syslog_json ‘”time”: “$time_iso8601″, ‘
‘”remote_addr”: “$remote_addr”, ‘
‘”remote_user”: “$remote_user”, ‘
‘”body_bytes_sent”: “$body_bytes_sent”, ‘
‘”request_time”: “$request_time”, ‘
‘”status”: “$status”, ‘
‘”request”: “$request”, ‘
‘”request_method”: “$request_method”, ‘
‘”http_referrer”: “$http_referer”, ‘
‘”http_user_agent”: “$http_user_agent”‘
‘”upstream_response_time”: “$upstream_response_time”‘;

Ok, now lets send that over to LogStash:

error_log syslog:server=127.0.0.1:5000 debug;
access_log syslog:server=127.0.0.1:5000,facility=local7,tag=nginx,severity=info syslog_json;

 

Make sure that LogStash is listening on UDP 5000. Currently, LogStash is just processing them like ‘syslog’ but I will adjust that later.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.