Overview
Blumira’s modern cloud SIEM platform integrates with Nginx Web Server to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Nginx will stream security event logs to the Blumira service for automated threat detection and actionable response.
Before you begin
To configure log forwarding for your Nginx Web Server, you must first complete the steps in Integrating with Linux OS. After you have completed that procedure, proceed with the steps below.
Sending logs to Blumira
If you have a special logging configuration for your Nginx Web Server, you may need to tweak the following configuration. If you need help, you can send your active Nginx configuration to Blumira Support, and we will make sure you get the correct configuration.
Configuring Nginx Web Server logs
- Verify that your Nginx configuration matches the below, specifically for default or configurations that have not been heavily modified:
access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log;
Note: As mentioned above, the content expects that you are using the default and logging out to/var/log/nginx/access.log
and/var/log/nginx/error.log
with appropriate log cycling. If you have set this up in a different way through your vhosts or site configuration, you can replace the path in the later steps with those details. - Rsyslog must spool the data for Nginx into a working directory, so verify that the spool exists by running the following command:
sudo ls /var/spool/rsyslog
If you receive a "No such file or directory" error, run this command:
sudo mkdir -v /var/spool/rsyslog if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then sudo chown -R syslog:adm /var/spool/rsyslog fi
-
Open or create the new Blumira Apache log configuration file:
sudo vim /etc/rsyslog.d/25-nginx.conf
Note: You can use nano, emacs, or your preferred text editor. The file must be located at /etc/rsyslog.d/25-nginx.conf.
-
Copy and paste the following content into the file:
# Prep $ModLoad imfile $InputFilePollInterval 10 $PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog # where to place spool files
#$WorkDirectory /var/lib/rsyslog # if using RHEL/CentOS, uncomment this line, and comment out the above line # Apache Access File: $InputFileName /var/log/nginx/access.log $InputFileTag apache-access: $InputFileStateFile stat-apache-access $InputFileSeverity info $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Apache Error File: $InputFileName /var/log/nginx/error.log $InputFileTag apache-error: $InputFileStateFile stat-apache-error $InputFileSeverity error $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Tag, Forward to BLUNIX System Logger then Stop if $programname == 'apache-access' then stop if $programname == 'apache-error' then stopNote: As mentioned above, you can change the paths of the Access and Error file if they are located at a different path on your system.
-
Restart the rsyslog service to start processing Nginx data via the new configuration:
sudo /etc/init.d/rsyslog restart
or
sudo service rsyslog restart