The Nginx parser is a crucial tool for analyzing Nginx logs. It enables information to be extracted and processed, allowing security events such as requests, accesses and error messages to be effectively monitored and evaluated.

Configuration of the NGINX extractors

1. Edit the configuration file: Open the file /etc/nginx/nginx.conf in a text editor.

2. Add log format: In the http section, add the following log format ngs:

http {
  ...
  	##
	# Syslog
	##

	log_format ngs '$remote_addr - $remote_user "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ["$server_name" $server_port $remote_port "$upstream_addr"]';

3. Configure access and error logs: Configure the access and error logs to send to a relay server via syslog:

access_log syslog:server=<relayIP>:<relayPort> ngs;
	error_log syslog:server=<relayIP>:<relayPort> <level>;
  ...
}

4. Define the error log level: The error log level values are: info, notice, warn, error, crit, alert, emerg. Please note that the number of logs recorded decreases as the error log level increases.

5. Check the configuration: Execute the nginx -t command to ensure that the configuration is valid. Please note that not all log parameters are always available.

6. Apply configuration: Use service nginx reload to load the updated configuration.

7. Relay configuration: Make sure that "nginx" is selected as the parser for the relay.