Nginx Logs

Connecting Nginx logs to your Panther Console

Overview

Panther supports ingesting Nginx logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Nginx logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for the log type you want to onboard, then click its tile.

  4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Configure Nginx to push logs to the Data Transport source.

    • See Nginx's documentation for instructions on pushing logs to your selected Data Transport source.

Querying logs in Data Explorer

To see an example of querying NGINX logs in Panther's Data Explorer, please see NGINX and ALB Access logs queries.

Supported log types

Nginx.Access

Access Logs for your Nginx server. Panther supports Nginx 'combined' format.

Reference: Nginx Documentation on Log Formatting.

schema: Nginx.Access
parser:
    fastmatch:
        match:
            - '%{remoteAddr} - %{remoteUser} [%{time}] "%{request}" %{status} %{bodyBytesSent} "%{httpReferer}" "%{httpUserAgent}"'
        emptyValues:
            - '-'
description: Access Logs for your Nginx server. We currently support Nginx 'combined' format.
referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
fields:
    - name: remoteAddr
      description: The IP address of the client (remote host) which made the request to the server.
      type: string
      indicators:
        - ip
    - name: remoteUser
      description: The userid of the person making the request. Usually empty unless .htaccess has requested authentication.
      type: string
      indicators:
        - username
    - name: time
      required: true
      description: The time that the request was received (UTC).
      type: timestamp
      timeFormats:
        - '%d/%b/%Y:%H:%M:%S %z'
      isEventTime: true
    - name: request
      description: The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol.
      type: string
    - name: status
      description: The HTTP status code returned to the client.
      type: smallint
    - name: bodyBytesSent
      description: The size of the object returned to the client, measured in bytes.
      type: bigint
    - name: httpReferer
      description: The HTTP referrer if any.
      type: string
    - name: httpUserAgent
      description: The agent the user used when making the request.
      type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated