Nginx – Pass host from nginx to rsyslog

debiannginxrsyslogsyslog

I have a cluster of nginx web servers and a separate syslog server running rsyslog. The nginx vhost looks like this:

access_log      syslog:server=10.0.0.51,facility=local1,severity=info combined;
error_log       syslog:server=10.0.0.51,facility=local2 debug;

And the custom rsyslog config like this:

$template access_log,"/var/syslog/%HOSTNAME%/%PROGRAMNAME%/access.log"
$template error_log,"/var/syslog/%HOSTNAME%/%PROGRAMNAME%/error.log"
local1.*        -?access_log
local2.*        -?error_log

It works great but I would like to create separate log files on rsyslog for the different vhosts, so, e.g.,

/var/syslog/my-hostname/nginx/example.org-access.log

/var/syslog/my-hostname/nginx/somedomain.com-access.log

And so on. How can I pass the host from nginx to rsyslog?

Best Answer

Not able to comment, but maybe this will get you started in the right direction.

Nginx allows you to set tags for each log. From the documentation for nginx syslog:

tag=string

Sets the tag of syslog messages. Default is “nginx”.

For example I have this in my config:

access_log      syslog:server=server,tag=nginx_access;

For your site configuration you can set access and error logs per virtual server:

server {
    listen 80;
    server_name foo1.local;
    location /var/www/site1;
    access_log      syslog:server=server,tag=nginx_access_site1;
}

server {
    listen 80;
    server_name foo2.local;
    location /var/www/site2;
    access_log      syslog:server=server,tag=nginx_access_site2;
}

Now you should be able to filter these messages based on the tags. From How to filter rsyslog messages by tags you can set up a configuration file:

:syslogtag, isequal, "nginx_access_site1:" /var/syslog/my-hostname/nginx/site1-access.log
& stop

:syslogtag, isequal, "nginx_access_site2:" /var/syslog/my-hostname/nginx/site2-access.log
& stop

You also need to make sure that whatever you call this config file, it needs to get loaded before your default configs (which seems to be 50-default.conf) - so for example you could name it 20-nginx.conf.

Related Solutions

What’s causing rsyslog to log $msgINVALID PROPERTY NAME instead of the message contents from sonicwall devices

There is a typo in the sql template, $msg% instead of %msg%; which rsyslog tried to tell me, and I even quoted in my original question.

How to filter on tags in syslog-ng when they don’t seem to be available by the time it processes it

There is a difference between the TAG field defined in the RFC3164 to which the nginx config parameter refers to and the tag filter used inside Syslog-ng.

The TAG field you can define in Nginx is interpreted as the program or the process which is logging the current message. It is in the MSG Part of the syslog packet and terminated by the first non-alphanumeric character. Everything after that will be used as the actual message (RFC3164#section-4.1.3).

You can see that when you sniff the syslog traffic e.g. with tcpdump:

tcpdump -A -vvv -s0 -n -i venet0 port 514

This is an example comming from NGINX with the config listed below:

15:25:16.477717 IP (tos 0x0, ttl 63, id 22206, offset 0, flags [DF], proto UDP (17), length 454) loadbalancer.example.com.45470 > log.example.com.514: [udp sum ok] SYSLOG, length: 426
    Facility local6 (22), Severity notice (5)
    Msg: Mar 10 15:25:16 loadbalancer.example.com nginx_access: "[10/Mar/2017:15:25:16 +0100]" "NO-CACHE" "app.example.com:80" "0.032" "302" "331" "10.235.121.191" "sub.example.com" "GET /location/?parameter=value1 HTTP/1.1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Tablet PC 2.0)"

I sometimes use the TAG Field of nginx to distinguish between different logfiles:

access_log      /var/log/nginx/www.example.com.ssl_access_log proxy;
error_log       /var/log/nginx/www.example.com.ssl_error_log warn;

access_log       syslog:server=10.0.80.110,facility=local6,tag=nginx_access,severity=notice proxy;
error_log       syslog:server=10.0.80.110,facility=local6,tag=nginx_error,severity=error warn;

And on the receiving syslog-ng server I can then sort the incoming messages or just dump them in one big file:

source s_net { udp(); };

filter f_prg_nginx_access{ program(nginx_access); };
filter f_prg_nginx_error{ program(nginx_error); };

destination d_lb_access { file("/var/log/lb_access.log" perm(0640));};
destination d_lb_error { file("/var/log/lb_error.log" perm(0640)); };

log { source(s_net); filter(f_prg_nginx_access); destination(d_lb_access); };
log { source(s_net); filter(f_prg_nginx_error); destination(d_lb_error); };

As Robert Fekete already mentioned the tag filtering of Syslog-ng is another way for internaly tagging messages which arrive on a specific port or match a pattern. Additionally [2] says that tagging is the fastest way of sorting messages in syslog-ng but the tags are only locally available and not sent over the network.

[1] https://www.nginx.com/resources/admin-guide/logging-and-monitoring/ [2] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.6-guides/en/syslog-ng-ose-v3.6-guide-admin/html/tagging-messages.html

Best Answer

Related Solutions

What’s causing rsyslog to log $msg**INVALID PROPERTY NAME** instead of the message contents from sonicwall devices

How to filter on tags in syslog-ng when they don’t seem to be available by the time it processes it

Related Topic

What’s causing rsyslog to log $msgINVALID PROPERTY NAME instead of the message contents from sonicwall devices