I'm trying to collect nginx error and access logs with graylog, I think everything is correctly configured, but Graylog receive nothing from NGINX
(Graylog & NGINX are in docker containers and both are in the same network)
I use nginx/1.13.5 & Graylog 2.4.0 and I use this content pack on graylog
Here is my nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';
access_log syslog:server=graylog:12301,facility=local0,tag=nginx,severity=info graylog2_json;
error_log syslog:server=graylog:12302,facility=local0,tag=nginx,severity=error warn;
#error_log stderr;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
If I try with nc, my graylog receive the message
echo -n "test message" | nc -u -w1 graylog 12301
Thanks!
Best Answer
I suggest you collect some debug info: As you said your network work
if Nginx on the same host as Graylog:
sudo tcpdump udp -n -vv port 12301 -i lo -X
if Nginx on a different host as Graylog:
sudo tcpdump udp -n -vv port 12301 -X
If the network level works and you can see packets like on the picture go to Graylog Inputs and check which kind of input you have
[a] It needs to be Raw/Plaintext UDP (if you have GELF UDP Graylog will filter your messages as Nginx sends logs in Syslog format and not in Json
[b] You will have Network IO different from 0
[c] Port (12301 in your case) and IP needs to be the same as in Nginx configuration
Extractor Example:
As you use "content pack" you need to add the rule before all others that cames from "content pack" (order: 0) if you do import export
After adding the rule, you will have clear JSON log from Nginx, all other work will do "content pack"
ngnix.conf example:
Hope, following all this steps you will find useful