Fork me on GitHub
Suzf  Blog

How-to configure nginx logging to remote syslog

前言

日志中心化给我们带来了好多优势, 那么我们如何收集 Nginx 日志到日志服务器呢? Nginx 自 1.7.1 版本之后开始支持 syslog.

Nginx log configure

# diff -ruN /etc/nginx/nginx.conf{.old,}
--- /etc/nginx/nginx.conf.old	2017-04-24 13:45:56.125362028 +0800
+++ /etc/nginx/nginx.conf	2017-04-24 14:04:38.293694706 +0800
@@ -4,7 +4,8 @@
 
 user nginx;
 worker_processes auto;
-error_log /var/log/nginx/error.log;
+# error_log /var/log/nginx/error.log;
+error_log syslog:server=log.suzf.net:514,tag=nginx_error;
 pid /run/nginx.pid;
 
 # Load dynamic modules. See /usr/share/nginx/README.dynamic.
@@ -19,7 +20,8 @@
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /var/log/nginx/access.log  main;
+    # access_log  /var/log/nginx/access.log  main;
+    access_log  syslog:server=log.suzf.net:514,facility=local6,tag=nginx_access,severity=info main;
 
     sendfile            on;
     tcp_nopush          on;

Remote logserver configure

# grep nginx_ /etc/rsyslog.conf
if $syslogfacility-text == 'local6' and $programname == 'nginx_access' then /var/log/nginx/access_test.log
if $syslogfacility-text == 'local6' and $programname == 'nginx_error' then /var/log/nginx/error_test.log

Confirm on the logserver

@log.suzf.net ~# head -1 /var/log/nginx/access_test.log 
2017-04-24T13:57:22+08:00 horse.suzf.net nginx: 172.16.9.1 - - [24/Apr/2017:13:57:22 +0800] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

The following parameters configure logging to syslog:

server=address

Defines the address of a syslog server. The address can be specified as a domain name or IP address, with an optional port, or as a UNIX-domain socket path specified after the “unix:” prefix. If port is not specified, the UDP port 514 is used. If a domain name resolves to several IP addresses, the first resolved address is used.

facility=string

Sets facility of syslog messages, as defined in RFC 3164. Facility can be one of “kern”, “user”, “mail”, “daemon”, “auth”, “intern”, “lpr”, “news”, “uucp”, “clock”, “authpriv”, “ftp”, “ntp”, “audit”, “alert”, “cron”, “local0”..“local7”. Default is “local7”.

severity=string

Sets severity of syslog messages for access_log, as defined in RFC 3164. Possible values are the same as for the second parameter (level) of the error_log directive. Default is “info”.

Severity of error messages is determined by nginx, thus the parameter is ignored in the error_log directive.

tag=string

Sets the tag of syslog messages. Default is “nginx”.

nohostname

Disables adding the “hostname” field into the syslog message header (1.9.7).

 

nginx < 1.7.1

Nginx 配置文件保持不变, 使用 Rsyslog imfile module 将文本文件转换成 Rsyslog 信息。

# cat /etc/rsyslog.d/nginx.conf 
# needs to be done just once; suggest add it to /etc/rsyslog.conf
$ModLoad imfile

# nginx access log
$InputFileName /var/log/nginx/access.log
$InputFileTag nginx_access:
$InputFileStateFile stat-nginx-acess

$InputFileSeverity notice
$InputFileFacility local6
$InputRunFileMonitor

# check for new lines every 2 seconds
$InputFilePollInterval 2


# grep log.suzf.net /etc/rsyslog.conf 
*.* @log.suzf.net:514

远程日志服务器配置同上

Reference

[0] http://nginx.org/en/docs/syslog.html

[1] https://www.nginx.com/resources/admin-guide/logging-and-monitoring/