本文にスキップ
KYRA MDR KYRA MDR Docs

Nginx Integration

Overview

This integration collects Nginx access logs and error logs for web attack detection, DDoS monitoring, and application health tracking. Nginx is used as a web server, reverse proxy, or load balancer in the majority of Korean web services.

Supported versions: Nginx 1.7+ (for native syslog), OpenResty

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Root or sudo access on the Nginx server
  • Network connectivity from the server to the collector on port 514

Configuration

Nginx 1.7+ supports direct syslog output. Add to your nginx.conf:

access_log syslog:server=KYRA_COLLECTOR_IP:514,facility=local7,tag=nginx,severity=info combined;
error_log syslog:server=KYRA_COLLECTOR_IP:514,facility=local7,tag=nginx_err;

Option 2: rsyslog File Monitoring

If native syslog is not available, use rsyslog to tail log files:

/etc/rsyslog.d/nginx.conf
module(load="imfile")
input(type="imfile" File="/var/log/nginx/access.log" Tag="nginx-access" Facility="local7")
input(type="imfile" File="/var/log/nginx/error.log" Tag="nginx-error" Facility="local7")
local7.* @@KYRA_COLLECTOR_IP:514

Restart rsyslog: sudo systemctl restart rsyslog

For better parsing accuracy, use JSON-formatted access logs:

log_format json_combined escape=json
  '{"time":"$time_iso8601","remote_addr":"$remote_addr",'
  '"request":"$request","status":$status,"body_bytes_sent":$body_bytes_sent,'
  '"http_referer":"$http_referer","http_user_agent":"$http_user_agent",'
  '"request_time":$request_time,"upstream_response_time":"$upstream_response_time"}';


access_log /var/log/nginx/access.log json_combined;

Collected Log Types

Log TypeSecurity UsePriority
Access logsWeb attack detection (SQLi, XSS, path traversal)Critical
Error logsAttack attempt identification, server errorsHigh
4xx responsesDirectory scanning, enumeration detectionMedium
5xx responsesUpstream failures, potential DoSHigh
Request timingSlow HTTP DoS detectionMedium
User-Agent analysisKnown attack tool identificationMedium

Troubleshooting

No Logs Received

  1. Verify Nginx is writing to the expected log paths
  2. Check syslog server address in nginx.conf or rsyslog config
  3. Ensure port 514 is open between the server and collector
  4. Reload Nginx after config changes: sudo nginx -s reload

Logs Not Parsing

  • Switch to JSON log format for reliable field extraction
  • Ensure the log_format directive is applied to the correct server blocks

For additional help, contact kyra@seekerslab.com.