SoFunction
Updated on 2025-04-05

Implementation of Nginx log format

introduction

As an efficient web server, Nginx is widely used in static content services, reverse proxying, load balancing and other scenarios. Logging is a crucial part of server management and monitoring. Nginx provides flexible log format configuration, which can record various data of requests and responses in detail, providing rich information for performance monitoring, security analysis, troubleshooting, etc. Through reasonable log format configuration, administrators can efficiently obtain the operation of Web services, promptly detect problems and optimize them.

1. The basic structure of Nginx logs

Nginx has two main logs: access log and error log. These two logs are used to record information about web requests and error or warning messages during server operation.

1. Access Log

Access logs are the most commonly used log types in Nginx, recording detailed information about HTTP requests and responses between clients and servers. By analyzing access logs, administrators can understand the client's request pattern, request source, response time and other key data, which helps traffic analysis, performance monitoring and security analysis.

The format of the access log islog_formatDirective definition, which usually includes multiple fields, each field representing information for a certain request or response.

2. Error Log

The error log records errors, warnings, and notification information that Nginx occurs when processing requests. Level of error log (e.g.errorwarninfoetc.) can help administrators diagnose and resolve problems. Error logs are especially important when debugging and troubleshooting.

2. Nginx access log configuration

Nginx's access log is usually passedaccess_logInstructions to configure. This directive specifies the location of the log file and the format of the log.

Configuration example:

http {
    access_log /var/log/nginx/;
}

In the default configuration, Nginx will record basic information for all requests. If you want to customize the log format, you can uselog_formatInstructions.

1. The default access log format

Nginx default access log format (combinedFormat) includes the following fields:

  • Client IP address: Records the IP address of the client that initiated the request.
  • Request Time: The requested timestamp, including date and time.
  • Request line: Includes the request method (GET, POST, etc.), the requested URL and protocol version (such as HTTP/1.1).
  • Status code: The response HTTP status code (such as 200, 404, etc.).
  • Number of bytes returned: Number of bytes of the response body, excluding the HTTP header.
  • Request source: Record Referer header, indicating which page the request jumped from.
  • Client browser information: Records the User-Agent header, describing the information that the client uses or other client software.

The defaultcombinedThe log format is as follows:

log_format combined '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

This format will output the following information:

127.0.0.1 - - [12/Dec/2024:16:22:48 +0000] "GET / HTTP/1.1" 200 1043 "/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" "192.168.1.1"

2. Custom log format

Nginx supports custom access log formats, and can record more fields or adjust the order of fields according to actual needs. Custom format is throughlog_formatImplemented by the instruction.

Common fields and instructions:

  • $remote_addr: The IP address of the client.
  • $remote_user: The user name of the client (if using HTTP basic authentication).
  • $time_local: Request time (local time).
  • $request: The complete content of the request, including the request method, URL and protocol.
  • $status: HTTP status code (such as 200, 404, 500, etc.).
  • $body_bytes_sent: The number of bytes of the response body, excluding the response header.
  • $http_referer: URL of the source page.
  • $http_user_agent: Client's browser information.
  • $http_x_forwarded_for: The real IP address of the client forwarded by the proxy server.

Example of custom log format:

http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
    
    access_log /var/log/nginx/ main;
}

In this example, the log format is customized asmain, and includes the request time and the request time ($request_time) and other information to facilitate performance analysis.

3. Log conditions and filtering

Nginx allows logging to be enabled or disabled under certain conditions. For example, whether to log a log can be determined based on the status code of the response or the specific path of the request.

Example:

server {
    location /api/ {
        access_log /var/log/nginx/api_access.log;
    }

    location / {
        access_log off;  # Disable logging at this location    }
}

In the above configuration, only/api/The requests for the path will record the log, while the requests for the other paths will not record the log.

3. Nginx error log configuration

Nginx also provides an error log for logging errors and warning messages that occur during the server's operation. The error log is mainlyerror_logInstruction configuration usually records information such as configuration errors, server crashes, client request errors, etc.

Configuration example:

error_log /var/log/nginx/ warn;

This configuration logs the error log to/var/log/nginx/Files, and only recordswarnand more serious logs (e.g.errorandcrit)。

1. Level of error log

Nginx supports multiple error log levels, each level indicating different log importance. Common error log levels include:

  • debug: Detailed debugging information, usually used in the development and debugging stages.
  • info: General information, record some general operation information.
  • notice: Notify, record normal system events.
  • warn: Warning, record potential problems.
  • error: Error, record errors that affect the normal operation of the server.
  • crit: Critical error, logging errors that may cause service crash or unavailable.

Configuration example:

error_log /var/log/nginx/ notice;

This configuration sets the level of the error log tonotice, record general notification information and more serious errors.

2. Log rotation and log file management

Log files may become very large after being used for a period of time, affecting the storage space and performance of the server. To avoid excessive log files, log rotation is usually required. Log rotation is to rename or clear the log file during the specified period and create a new log file.

Common log rotation methods include:

  • Use the operating system's ownlogrotateTools clean logs regularly.
  • Nginx byaccess_loganderror_logInstructions support dynamically changing the location of log files, thereby realizing log rotation.

logrotateConfiguration example:

/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
}

4. Log analysis and optimization

The access and error logs generated by Nginx contain a large amount of web request information and server operation status. By analyzing these logs, it can help administrators identify performance bottlenecks, security issues, and potential failures.

1. Performance analysis

By analyzing Nginx's access log, administrators can obtain request response time, request type, client IP, user agent and other information to help discover performance bottlenecks. Common analytical tools includeGoAccessAWStatsElasticsearchandKibanawait.

Performance optimization example:

  • According to the response time in the log ($request_time) field can identify which requests have a longer response time, thereby optimizing the processing logic of these requests.
  • According to the returned status code ($status) field, which can count which requests returned 404 or 500 errors and fix them in time.

2. Safety analysis

Log analysis is also crucial for security protection. By analyzing access logs, administrators can discover abnormal request patterns and identify potential attacks. Common security analyses include:

  • Brutality Cracking Attack: By analyzing the login request, detecting whether there are a large number of false login attempts.
  • DDoS attack: By analyzing the client IP, you can identify the source IP of traffic abnormalities to prevent DDoS attacks.
  • SQL injection, XSS attack: By analyzing the request URL and request body, identifying whether there is an illegal query string or malicious script.

3. Log Optimization

  • Reduce the content of logging: For unimportant requests or responses, consider disabling logging to reduce the use of disk space.
  • Log storage: Use distributed log storage (such asELKStack) to centrally manage and analyze log data to avoid excessive disk pressure on a single server.
  • Real-time log analysis: Cooperate with monitoring tools (such asPrometheusGrafana), realize real-time log analysis and quickly respond to server exceptions or attacks.

5. Summary

Nginx logs are a core component of web server management and maintenance, providing detailed records of access requests, error messages, and server operation status. By configuring Nginx's access logs and error logs properly and using log analysis tools for performance and security analysis, administrators can efficiently monitor server status, optimize Web service performance, and troubleshoot problems.

This is the end of this article about the implementation of Nginx log format. For more related content of Nginx log format, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!