NGINX

  • Published on Feb 26, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

NGINX

✅

✅

nginx_security_logs

NDJSON

S3

Overview

NGINX is a high-performance web server, reverse proxy, and load balancer designed for handling large volumes of traffic efficiently. It is widely used to serve static content, manage API traffic, and optimize application delivery. NGINX improves website performance with features like caching, compression, and SSL termination while enhancing security by mitigating DDoS attacks and unauthorized access. Its scalability and flexibility make it a popular choice for modern web applications and cloud environments.

Supported data types

NGINX Access and Error Logs

Table name: nginx_security_logs

NGINX access logs record all incoming requests, capturing details like client IP, request method, URL, response code, and user agent, making them essential for traffic analysis and troubleshooting. Error logs, on the other hand, track server issues, including failed requests, configuration errors, and security events like ModSecurity WAF rule violations. Together, these logs provide critical insights for performance monitoring, debugging, and security incident detection.

Send data to Hunters

Hunters supports the collection of logs from NGINX using an intermediary AWS S3 bucket.

To connect NGINX logs:

  1. Follow this guide to learn how to configure NGINX logging to Syslog.

  2. Refer to the official Syslog documentation site to learn how to export logs from Syslog to an AWS S3 bucket.

  3. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in NDJSON format.

NGINX Access and Error Log Sample

{
  "remote": "192.168.1.100",
  "host": "-",
  "user": "-",
  "method": "GET",
  "path": "/auth/admin/realms/example/components/abcd1234-5678-efgh-ijkl-9876mnopqrst",
  "code": "200",
  "size": "614",
  "referer": "-",
  "agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36",
  "time": "2024-12-11T12:36:58+01:00"
}

{
  "severity": "error",
  "process_id": "987654",
  "thread_id": "654321",
  "connection_id": "78910",
  "error": "[client 192.168.1.100] ModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \"/etc/nginx/modsec/coreruleset-3.3.7/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"81\"] [id \"5678\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"]",
  "client_ip": "192.168.1.100",
  "server": "proxy.example.com",
  "request_method": "GET",
  "request_path": "/.ssh/protected-resource",
  "request_protocol": "HTTP/1.1",
  "host": ""
}