Nginx Logs | Panther Docs

Knowledge Base Community Release Notes Request Demo

Last updated 1 year ago

Was this helpful?

Overview

Panther supports ingesting Nginx logs via common options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Nginx logs to Panther

To connect these logs into Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Nginx to push logs to the Data Transport source.
- See Nginx's documentation for instructions on pushing logs to your selected Data Transport source.

Querying logs in Data Explorer

Supported log types

Nginx.Access

Access Logs for your Nginx server. Panther supports Nginx 'combined' format.

schema: Nginx.Access
parser:
    fastmatch:
        match:
            - '%{remoteAddr} - %{remoteUser} [%{time}] "%{request}" %{status} %{bodyBytesSent} "%{httpReferer}" "%{httpUserAgent}"'
        emptyValues:
            - '-'
description: Access Logs for your Nginx server. We currently support Nginx 'combined' format.
referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
fields:
    - name: remoteAddr
      description: The IP address of the client (remote host) which made the request to the server.
      type: string
      indicators:
        - ip
    - name: remoteUser
      description: The userid of the person making the request. Usually empty unless .htaccess has requested authentication.
      type: string
      indicators:
        - username
    - name: time
      required: true
      description: The time that the request was received (UTC).
      type: timestamp
      timeFormats:
        - '%d/%b/%Y:%H:%M:%S %z'
      isEventTime: true
    - name: request
      description: The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol.
      type: string
    - name: status
      description: The HTTP status code returned to the client.
      type: smallint
    - name: bodyBytesSent
      description: The size of the object returned to the client, measured in bytes.
      type: bigint
    - name: httpReferer
      description: The HTTP referrer if any.
      type: string
    - name: httpUserAgent
      description: The agent the user used when making the request.
      type: string

Nginx.Error

Error logs of your Nginx server.

schema: Nginx.Error
parser:
    fastmatch:
        match:
            - '%{time} [%{severity}] %{pid}#%{tid}: *%{message}'
        emptyValues:
            - '-'
description: Error Logs for your Nginx server.
referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
fields:
    - name: time
      required: true
      description: The time that the error occurred (UTC).
      type: timestamp
      timeFormats:
        - '%Y/%m/%d %H:%M:%S'
      isEventTime: true
    - name: severity
      required: true
      description: The severity level of the error.
      type: string
    - name: pid
      description: The process ID of the Nginx server.
      type: bigint
    - name: tid
      description: The thread ID of the Nginx server.
      type: bigint
    - name: message
      required: true
      description: The error message.
      type: string