Links

Nginx Logs

Connecting Nginx logs to your Panther Console

Overview

Panther supports ingesting Nginx logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Nginx logs to Panther

To connect these logs into Panther:
  1. 1.
    In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for the log type you want to onboard, then click its tile.
  4. 4.
    Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
  5. 5.
    Configure Nginx to push logs to the Data Transport source.
    • See Nginx's documentation for instructions on pushing logs to your selected Data Transport source.

Querying logs in Data Explorer

To see an example of querying NGINX logs in Panther's Data Explorer, please see NGINX and ALB Access logs queries.

Supported log types

Nginx.Access

Access Logs for your Nginx server. Panther supports Nginx 'combined' format.
schema: Nginx.Access
parser:
fastmatch:
match:
- '%{remoteAddr} - %{remoteUser} [%{time}] "%{request}" %{status} %{bodyBytesSent} "%{httpReferer}" "%{httpUserAgent}"'
emptyValues:
- '-'
description: Access Logs for your Nginx server. We currently support Nginx 'combined' format.
referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
fields:
- name: remoteAddr
description: The IP address of the client (remote host) which made the request to the server.
type: string
indicators:
- ip
- name: remoteUser
description: The userid of the person making the request. Usually empty unless .htaccess has requested authentication.
type: string
indicators:
- username
- name: time
required: true
description: The time that the request was received (UTC).
type: timestamp
timeFormats:
- '%d/%b/%Y:%H:%M:%S %z'
isEventTime: true
- name: request
description: The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol.
type: string
- name: status
description: The HTTP status code returned to the client.
type: smallint
- name: bodyBytesSent
description: The size of the object returned to the client, measured in bytes.
type: bigint
- name: httpReferer
description: The HTTP referrer if any.
type: string
- name: httpUserAgent
description: The agent the user used when making the request.
type: string