Nginx Logs

Connecting Nginx logs to your Panther Console

Overview

Panther supports ingesting Nginx logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Nginx logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for the log type you want to onboard, then click its tile.

  4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Configure Nginx to push logs to the Data Transport source.

    • See Nginx's documentation for instructions on pushing logs to your selected Data Transport source.

Querying logs in Data Explorer

To see an example of querying NGINX logs in Panther's Data Explorer, please see NGINX and ALB Access logs queries.

Supported log types

Required fields in the table are in bold.

Nginx.Access

Access Logs for your Nginx server. Panther supports Nginx 'combined' format.

Reference: Nginx Documentation on Log Formatting.

Column

Type

Description

remoteAddr

string

The IP address of the client (remote host) which made the request to the server.

remoteUser

string

The userid of the person making the request. Usually empty unless .htaccess has requested authentication.

time

timestamp

The time that the request was received (UTC).

request

string

The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol.

status

smallint

The HTTP status code returned to the client.

bodyBytesSent

bigint

The size of the object returned to the client, measured in bytes.

httpReferer

string

The HTTP referrer if any.

httpUserAgent

string

The agent the user used when making the request.

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated