Nginx Syslog source

The nginx_syslog source listens on a UDP socket for nginx access logs wrapped in syslog format. It parses the nginx combined log format and extracts structured fields like IP address, request path, status code, and user agent.

Configuration

{
  "sources": {
    "nginx": {
      "type": "nginx_syslog",
      "addr": "0.0.0.0:5514"
    }
  }
}

Options

Option	Type	Default	Description
`addr`	string	required	UDP listen address (e.g. `"0.0.0.0:5514"`)

Nginx configuration

Configure nginx to send access logs to reveald via syslog:

http {
    access_log syslog:server=127.0.0.1:5514,facility=local7,tag=nginx combined;
}

Event fields

Field	Value
`sourceType`	`"nginx-syslog"`
`rawLog`	Raw log line as JSON
`eventTime`	Parsed from nginx `time_local` field
`src.ip`	Remote client address
`actor.username`	Remote user (empty if `-`)
`tags.request`	Request line (e.g. `"GET /path HTTP/1.1"`)
`tags.status`	HTTP status code
`tags.body_bytes`	Response body size
`tags.http_referer`	Referer header
`tags.http_user_agent`	User agent string

How to collect nginx logs --- End-to-end guide for sending nginx logs to RunReveal

Nginx Syslog source

Configuration

Options

Nginx configuration

Event fields

Related

On this page