Nginx#
Integration Details |
|
Ingester |
|
Kit |
Nginx Configuration#
Nginx’s default combined format is space-delimited. To better setup for Gravwell ingestion we recommend replacing it with a log_format directive that produces one JSON object per request, then apply that format to each vhost.
In /etc/nginx/nginx.conf (inside the http {} block):
log_format json_access escape=json
'{'
'"time":"$time_iso8601",'
'"remote_addr":"$remote_addr",'
'"method":"$request_method",'
'"uri":"$uri",'
'"status":$status,'
'"bytes_sent":$bytes_sent,'
'"request_time":$request_time,'
'"upstream":"$upstream_addr",'
'"user_agent":"$http_user_agent",'
'"referer":"$http_referer"'
'}';
Then in each vhost (or the default server block):
access_log /var/log/nginx/access.log json_access;
error_log /var/log/nginx/error.log warn;
Key Parameters#
escape=jsonparameter is critical. Without it, special characters inside User Agents or URIs will break JSON parsing downstream.upstreamfield is empty for directly served content and populated for proxied requests, which lets you distinguish traffic at query time.
Proxy Configuration#
If nginx is acting as a reverse proxy, add these to the proxy location block so the backend sees the real client IP:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Gravwell Configuration#
Gravwell Storage Well Configuration#
Setup the well configuration in your Gravwell indexers.
Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/nginx-well.conf
[Storage-Well "nginx"]
Location=/opt/gravwell/storage/nginx
Tags=nginx*
Gravwell Ingester Configuration: File Follower#
Sample Nginx config:
Create or edit: /opt/gravwell/etc/file_follow.conf.d/nginx.conf
[Follower "nginx-access"]
Base-Directory = /var/log/nginx
File-Filter = access.log
Tag-Name = nginx
Assume-Local-Timezone = false
Ignore-Timestamps = false
[Follower "nginx-error"]
Base-Directory = /var/log/nginx
File-Filter = error.log
Tag-Name = nginx-err
Note
Remember to restart the service to apply the new config:
sudo systemctl restart gravwell_file_follow.service