What is Nginx
Nginx (pronounced engine-x) is the leading web content provider software. The goal of Nginx is to provide a faster and less resource-intensive alternative to the Apache web server. Nginx serves static web files, can be used as a reverse proxy or a mail proxy, and may be best known for its use as a load balancer.
With all these functions, getting Nginx logs into Splunk enhances security, service intelligence, and application monitoring.
Igor Sysoev released Nginx in 2004 as an open-source distribution with a unique BSD-like license. In 2011, Sysoev and Maxim Konovalov founded NGINX, Inc. to provide commercial support for Nginx software. F5 Networks acquired NGINX, Inc in 2019.
For this post, we will focus on the open-source version of Nginx.
An enhanced Nginx Plus, with additional support and features, is also available from F5 Networks.
How Ngnix Works
Reverse Proxy: A reverse proxy server is a device that sits between the webservers and the requestor. These provide scalability and security. For instructions on configuring Nginx as a reverse proxy, follow these instructions.
Load Balancing: Nginx can provide HTTP (and TCP/UDP) load balancing. This helps with distribution, so individual servers are equally utilized. A common use in the Splunk community is to use Nginx as an HTTP load balancer sitting in front of Search Head Clusters or in front of HTTP Event Collectors (Heavy Forwarders or Indexers). Here are the details on how to configure HTTP Load Balancing.
Static web hosting: The original purpose of Nginx was to serve web files quickly. One of the ways it does this is by focusing on static content. Keeping it simple allows Nginx to keep a low requirements footprint. Here’s how to configure Nginx for serving static content.
Mail Proxy: Nginx can serve as a mail proxy for IMAP, POP3, and SMTP protocols. A mail proxy helps ensure equal distribution for multiple servers and to choose mail servers based on criteria. Here are the instructions on configuring Nginx as a mail proxy.
Nginx Logging and Splunk
Whenever you ingest logs into Splunk, the first question should be, “Is there a good Splunk App for this data?” In the case of Nginx, the answer is a resounding yes – if you are looking into Nginx Plus. The Splunk Add-on for Nginx is a well-crafted app that uses API calls to reach the Nginx Plus server.
For Open Source Nginx, we must be a bit more creative. Logs can be written to disk or sent to a Syslog server—set options for these within the different log modules.
Error Logs: Controlled by the Core Functionality Module (ngx_core_module). The default option is to write to a log file, while Syslog is also available. Optionally, you can control which level to include in the log.
Example: error_log logs/error.log [level];
The level parameters are debug, info, notice, warn, error, crit, alert, or emerg. These increase in order, so if error is selected, it includes error through emerg.
Configure Syslog by changing the file location to Syslog:
HTTP Logging: Controlled by the ngx_http_log_module. The good news is that the predefined combined format can be used which matches standards. The unwelcome news, the Nginx admin, can adjust the format. Again, Syslog and file formatting is available. Further options are available, such as when to flush the log and to use gzip.
Example: access_log /nginx/logs/http_access.log combined gzip flush=48h
Many options are available, depending on the version and admin choices.
From a Splunk perspective, the variability of this data makes it hard to prepare. Try grabbing the log and using Data Preview in Splunk Enterprise or Splunk Cloud to see if access_combined or accessed_combined_wcookie sourcetypes work correctly with the data. Else it’s time to break out your Splunk skills and create your sourcetypes and extractions.
UDP, TCP, and UNIX-domain sockets: Controlled by the ngx_stream_log_module. Like HTTP logging, there are options to write the file to disk or Syslog.
Example: access_log /nginx/logs/udp_access.log combined gzip flush=48h
HTTP Session logs: Available only in the commercial subscription, there is an ability to log sessions instead of individual HTTP requests. With Splunk, this is less important, but if you have a commercial subscription, why not explore the data? Here’s the documentation for how to do this.
If you have Ngnix Plus, use the Splunk Add-on for Nginx.
For those using Open Source Nginx, your options are:
- Log to disk and use a universal forwarder to monitor the file.
- Send the logs to Syslog, then write to disk and use a monitor on the file.
In this post, we explored what Nginx is and its main functionality. We explored how Nginx logs data and what our options are for ingesting the data. Best of luck and may your admins have set Nginx up in a standard logging format.
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the link below: