NGINX logs format
-
@girish Is it possible to just use the basic default log format? I'm attempting to integrate crowdsec with cloudron NGINX..but the parser for crowdsec is looking for default NGINX log format. I'd have to write a new parser which admittedly I'm prob not able to do technically at this time. I gotta get stronger with the crowdsec parser format and grok.
-
@mastadamus for the moment, maybe you can edit the nginx conf temporarily as needed? It's in
/home/yellowtent/platformdata/nginx/nginx.conf
. That part of nginx conf is only updated on a new Cloudron release (and not on app updates). -
@girish So i changed the default nginx.conf to the default combined log format and it ended up working as far as parsing the logs with crowdsec BUT when I rebooted my cloudron the NGINX service wouldn't come back up. Why does changing that prevent the NGINX service from restarting? You have any ideas?
-
@mastadamus have you checked the nginx logs? I think
journalctl -u nginx -fa
should tell you why it's not starting up. AFAIK, changing log format shouldn't affect Cloudron code. -
@girish I did check that initially and I finally figured out why. I put
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';but this was unnecessary and ended up throwing an error
-
user www-data; # detect based on available CPU cores worker_processes auto; # this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf # usually twice the worker_connections (one for uptsream, one for downstream) # see also LimitNOFILE=16384 in systemd drop-in worker_rlimit_nofile 8192; pid /run/nginx.pid; events { # a single worker has these many simultaneous connections max worker_connections 4096; } http { include mime.types; default_type application/octet-stream; # the collectd config depends on this log format # required for long host names server_names_hash_bucket_size 128; access_log /var/log/nginx/access.log combined; sendfile on; # timeout for client to finish sending headers client_header_timeout 30s; # timeout for reading client request body (successive read timeout and not whole body!) client_body_timeout 60s; # keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds keepalive_timeout 65s; # zones for rate limiting limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second include applications/*.conf; }
-
@mastadamus As a bonus by changing the NGINX logs back to default, my Wazuh agent is now able to parse them fully and i'm getting full monitoring capability from wazuh for the NGINX.. I've even had 2 active response actions taken to block IP's by wazuh since i've switched. I think cloudron team should leave these at default TBH.
-
@mastadamus Can you add that as a feature request and mention this thread?
-
-