Quick Links

Integrating with Nginx Web Server

Overview

Blumira’s modern cloud SIEM platform integrates with Nginx Web Server to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.

When configured, the Blumira integration with Nginx will stream security event logs to the Blumira service for automated threat detection and actionable response.

Before you begin

To configure log forwarding for your Nginx Web Server, you must first complete the steps in Integrating with Linux OS.  After you have completed that procedure, proceed with the steps below.

Sending logs to Blumira

If you have a special logging configuration for your Nginx Web Server, you may need to tweak the following configuration.  If you need help, you can send your active Nginx configuration to Blumira Support, and we will make sure you get the correct configuration.

Configuring Nginx Web Server logs

  1. Verify that your Nginx configuration matches the below, specifically for default or configurations that have not been heavily modified:
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    Note: As mentioned above, the content expects that you are using the default and logging out to /var/log/nginx/access.log and /var/log/nginx/error.log with appropriate log cycling. If you have set this up in a different way through your vhosts or site configuration, you can replace the path in the later steps with those details.
  2. Rsyslog must spool the data for Nginx into a working directory, so verify that the spool exists by running the following command:
    sudo ls /var/spool/rsyslog

    If you receive a "No such file or directory" error, run this command:

    sudo mkdir -v /var/spool/rsyslog
    if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then
       sudo chown -R syslog:adm /var/spool/rsyslog
    fi
  3. Open or create the new Blumira Apache log configuration file by running this command:
    sudo vim /etc/rsyslog.d/25-nginx.conf
    Note: You can use nano, emacs, or your preferred text editor.  The file must be located at /etc/rsyslog.d/25-nginx.conf.
  4. Copy and paste the following content into the file:

    # Prep
    $ModLoad imfile
    $InputFilePollInterval 10 
    $PrivDropToGroup adm
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    #$WorkDirectory /var/lib/rsyslog # if using RHEL/CentOS, uncomment this line, and comment out the above line # Apache Access File: $InputFileName /var/log/nginx/access.log $InputFileTag apache-access: $InputFileStateFile stat-apache-access $InputFileSeverity info $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Apache Error File: $InputFileName /var/log/nginx/error.log $InputFileTag apache-error: $InputFileStateFile stat-apache-error $InputFileSeverity error $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Tag, Forward to BLUNIX System Logger then Stop if $programname == 'apache-access' then stop if $programname == 'apache-error' then stop
    Note: As mentioned above, you can change the paths of the Access and Error files if they are located at a different path on your system.
  5. Restart the rsyslog service to start processing Nginx data via the new configuration:

    sudo /etc/init.d/rsyslog restart

    or

    sudo service rsyslog restart