# Nginx Logs ## Overview Panther supports ingesting Nginx logs via common [Data Transport](/data-onboarding/data-transports.md) options: Amazon Web Services (AWS) S3, SQS, and CloudWatch. ## How to onboard Nginx logs to Panther To connect these logs into Panther: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for the log type you want to onboard, then click its tile. 4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method: * [AWS CloudWatch](/data-onboarding/data-transports/aws/cloudwatch.md) * [AWS SQS](/data-onboarding/data-transports/aws/sqs.md) * [AWS S3 bucket](/data-onboarding/data-transports/aws/s3.md) 5. Configure Nginx to push logs to the Data Transport source. * See Nginx's documentation for instructions on pushing logs to your selected Data Transport source. ## Querying logs in Data Explorer To see an example of querying NGINX logs in Panther's Data Explorer, see [Nginx and ALB Access logs queries](/search/data-explorer/example-queries/nginx-and-alb-access-logs-queries.md). ## Supported log types ### Nginx.Access Access Logs for your Nginx server. Panther supports Nginx 'combined' format. Reference: [Nginx Documentation on Log Formatting.](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) ```yaml schema: Nginx.Access parser: fastmatch: match: - '%{remoteAddr} - %{remoteUser} [%{time}] "%{request}" %{status} %{bodyBytesSent} "%{httpReferer}" "%{httpUserAgent}"' emptyValues: - '-' description: Access Logs for your Nginx server. We currently support Nginx 'combined' format. referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format fields: - name: remoteAddr description: The IP address of the client (remote host) which made the request to the server. type: string indicators: - ip - name: remoteUser description: The userid of the person making the request. Usually empty unless .htaccess has requested authentication. type: string indicators: - username - name: time required: true description: The time that the request was received (UTC). type: timestamp timeFormats: - '%d/%b/%Y:%H:%M:%S %z' isEventTime: true - name: request description: The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol. type: string - name: status description: The HTTP status code returned to the client. type: smallint - name: bodyBytesSent description: The size of the object returned to the client, measured in bytes. type: bigint - name: httpReferer description: The HTTP referrer if any. type: string - name: httpUserAgent description: The agent the user used when making the request. type: string ``` ### Nginx.Error Error logs of your Nginx server. ```yaml schema: Nginx.Error parser: fastmatch: match: - '%{time} [%{severity}] %{pid}#%{tid}: *%{message}' emptyValues: - '-' description: Error Logs for your Nginx server. referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format fields: - name: time required: true description: The time that the error occurred (UTC). type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: severity required: true description: The severity level of the error. type: string - name: pid description: The process ID of the Nginx server. type: bigint - name: tid description: The thread ID of the Nginx server. type: bigint - name: message required: true description: The error message. type: string ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/nginx.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.