Configuring Comprehensive Nginx Logging

1 min read Web Security Fundamentals

Configuring Comprehensive Nginx Logging

Nginx logging configuration for security monitoring:

# /etc/nginx/nginx.conf
http {
    # Define multiple log formats for different purposes
    log_format security_combined '$remote_addr - $remote_user [$time_local] '
                                '"$request" $status $body_bytes_sent '
                                '"$http_referer" "$http_user_agent" '
                                '$request_time $upstream_response_time '
                                '$ssl_protocol $ssl_cipher';
    
    log_format detailed_security escape=json
                                '{'
                                '"timestamp":"$time_iso8601",'
                                '"remote_addr":"$remote_addr",'
                                '"remote_user":"$remote_user",'
                                '"request":"$request",'
                                '"status":"$status",'
                                '"body_bytes_sent":"$body_bytes_sent",'
                                '"request_time":"$request_time",'
                                '"http_referer":"$http_referer",'
                                '"http_user_agent":"$http_user_agent",'
                                '"http_x_forwarded_for":"$http_x_forwarded_for",'
                                '"ssl_protocol":"$ssl_protocol",'
                                '"ssl_cipher":"$ssl_cipher",'
                                '"ssl_client_s_dn":"$ssl_client_s_dn",'
                                '"upstream_addr":"$upstream_addr",'
                                '"upstream_status":"$upstream_status",'
                                '"upstream_response_time":"$upstream_response_time",'
                                '"request_id":"$request_id"'
                                '}';
    
    # Main access log
    access_log /var/log/nginx/access.log security_combined buffer=32k flush=5s;
    
    # JSON formatted log for SIEM integration
    access_log /var/log/nginx/security.json detailed_security buffer=16k flush=10s;
    
    # Error log configuration
    error_log /var/log/nginx/error.log warn;
    
    # Define maps for conditional logging
    map $request_uri $loggable {
        ~*\.(jpg|jpeg|png|gif|ico|css|js)$ 0;
        ~/health-check$ 0;
        default 1;
    }
    
    map $remote_addr $log_ip {
        ~^192\.168\. 0;
        ~^10\. 0;
        default 1;
    }
    
    server {
        listen 443 ssl http2;
        server_name example.com;
        
        # Request ID for tracking
        add_header X-Request-ID $request_id always;
        
        # Conditional access logs
        access_log /var/log/nginx/filtered.log security_combined if=$loggable;
        access_log /var/log/nginx/external.log security_combined if=$log_ip;
        
        # Log security events
        location ~ /\.ht {
            deny all;
            access_log /var/log/nginx/security_violations.log security_combined;
        }
        
        # Log authentication attempts
        location /login {
            access_log /var/log/nginx/auth_attempts.log detailed_security;
            # Your login handling
        }
        
        # Debug logging for specific locations
        location /api/ {
            error_log /var/log/nginx/api_errors.log debug;
            # API handling
        }
    }
}