Splunk® Supported Add-ons

Splunk Add-on for NGINX

Download manual as PDF

Download topic as PDF

Configure NGINX logging and monitoring

You need to set up the NGINX logging and monitoring to enable the Splunk Add-on for NGINX to collect data from the NGINX server including access log, error log, and performance metrics.

Configure NGINX access log

NGINX writes information about client requests in the access log right after the request is processed. By default, the access log is located at /var/log/nginx/access.log, and the information is written to the log in the predefined combined format. You can override the default settings and change the format of logged messages by editing the NGINX configuration file (/etc/nginx/nginx.conf by default).
The Splunk Add-on for NGINX can ingest the NGINX access log in both the predefined combined format and the custom key-value pair format. Splunk recommends using the custom key-value pair format, which contains more verbose information and is easier to parse.

Default NGINX access log

For information about setting up the default NGINX access log, refer to the NGINX documentation:
https://www.nginx.com/resources/admin-guide/logging-and-monitoring/#access_log .

Custom NGINX access log

Edit the NGINX configuration file (/etc/nginx/nginx.conf by default) and use the log_format directive to define the format of logged messages based on your requirements.

Here is an example:

log_format main 'site="$server_name" server="$host” dest_port="$server_port" dest_ip="$server_addr" '
                   'src="$remote_addr" src_ip="$realip_remote_addr" user="$remote_user" '
                   'time_local="$time_local" protocol="$server_protocol" status="$status" '
                   'bytes_out="$body_bytes_sent" bytes_in="$upstream_response_length" '
                   'http_referer="$http_referer" http_user_agent="$http_user_agent" '
                   'nginx_version="$nginx_version" http_x_forwarded_for="$http_x_forwarded_for" '
                   'http_x_header="$http_x_header" uri_query="$query_string" uri_path="$uri" '
                   'http_method="$request_method" response_time="$upstream_response_time" '
                   'cookie="$http_cookie" request_time="$request_time" ';

Refer to below format if using NGINX Plus R11 (1.11.5) and later versions:

log_format main 'site="$server_name" server="$host” dest_port="$server_port" dest_ip="$server_addr" ''src="$remote_addr" src_ip="$realip_remote_addr" user="$remote_user" '
                   'time_local="$time_local" protocol="$server_protocol" status="$status" '
                   'bytes_out="$bytes_sent" bytes_in="$upstream_bytes_received" '
                   'http_referer="$http_referer" http_user_agent="$http_user_agent" '
                   'nginx_version="$nginx_version" http_x_forwarded_for="$http_x_forwarded_for" '
                   'http_x_header="$http_x_header" uri_query="$query_string" uri_path="$uri" '
                   'http_method="$request_method" response_time="$upstream_response_time" '
                   'cookie="$http_cookie" request_time="$request_time" ';

See http://nginx.org/en/docs/varindex.html for the full list of variables that can be captured in the log.

For more information about configuring the ngx_http_log_module module, refer to http://nginx.org/en/docs/http/ngx_http_log_module.html.

Set up NGINX error log

NGINX writes information about encountered issues of different severity levels to the error log. For information about setting up the NGINX error log, refer to https://www.nginx.com/resources/admin-guide/logging-and-monitoring/#error_log .

Set up NGINX live activity monitoring

NGINX Plus provides a real-time live activity monitoring interface that shows key load and performance metrics of your server infrastructure. These metrics can be represented as a RESTful JSON interface and live JSON data can be ingested into Splunk. You need to enable collecting statistics in the NGINX Plus configuration file. For information about setting live activity monitoring, see https://www.nginx.com/resources/admin-guide/Monitoring/ .

PREVIOUS
Install the Splunk Add-on for NGINX
  NEXT
Configure monitor inputs for the Splunk Add-on for NGINX

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters