Nginx logs to Graylog

24 Sep 2021

So I have already setup a central log server running Graylog. It’s time to use it for something. My Nginx reverse proxy will be the first one to send logs to my Graylog server.

I got lots of information from the very old graylog content pack by petestore26 at Github. I could have downloaded the content pack and just installed, might still work. But I want to learn how to do it myself.

Nginx configuration

Add the following to the http { section in your nginx.conf

log_format graylog_json escape=json '{ "timestamp": "$time_iso8601", '
                     '"remote_addr": "$remote_addr", '
                     '"body_bytes_sent": $body_bytes_sent, '
                     '"request_time": $request_time, '
                     '"response_status": $status, '
                     '"request": "$request", '
                     '"request_method": "$request_method", '
                     '"host": "$host",'
                     '"upstream_cache_status": "$upstream_cache_status",'
                     '"upstream_addr": "$upstream_addr",'
                     '"http_x_forwarded_for": "$http_x_forwarded_for",'
                     '"http_referrer": "$http_referer", '
                     '"http_user_agent": "$http_user_agent" }';
    access_log syslog:server=srv-graylog:1515 graylog_json;
    error_log syslog:server=srv-graylog:1516;

change srv-graylog:1515 & srv-graylog:1516 to your server and port.

Graylog input

To receive the logging in Graylog we need to create an input

Select Syslog UDP and hit Launch new input
And then just create a second input like the one above, but with the other port, 1516, for the Nginx Error logs.

Docker compose update

If you have followed my Graylog docker setup guide you need to make sure the port 1515 & 1516 is forward to the Graylog container.

 # Graylog:
      # Extra input stream ports UDP
      - 1500-1599:1500-1599/udp

I just added the port range 1500-1599 to use for some other input streams if needed later.

Don’t forget to restart your Graylog container.

Receive messages

Now we should receive log messages, but the messages will be a single nginx prefix JSON string. This is not very useful for searching, we will need to split the message string into separate fields.

In the next part I will look into creating Message extractors to create search fields and Geo tag fields with IP addresses.