Nginx - Classic Collector
Nginx is a web server used as a reverse proxy, load balancer, mail proxy, and HTTP cache. The Sumo Logic app for Nginx helps you monitor activity in Nginx. The preconfigured dashboards provide information about site visitors, including the location of visitors, devices/operating systems, and browsers used, and information about server activity, including bots, observed, and error information.
This app is tested with the following Nginx versions:
- Kubernetes environments: Nginx version 1.21.4
- Non-Kubernetes environments: Nginx version 1.19.8
Learn to set up NGINX for non-Kubernetes Sources.
Collecting logs for the Nginx app​
This section provides instructions for configuring log and metric collection for the Sumo Logic app for Nginx. The following tasks are required:
Step 1: Configure Fields in Sumo Logic​
Create the following fields in Sumo Logic prior to configuring the collection. This ensures that your logs and metrics are tagged with relevant metadata, which is required by the app dashboards. For information on setting up fields, see Sumo Logic Fields.
- Kubernetes environments
- Non-Kubernetes environments
If you're using Nginx in a Kubernetes environment, create the fields:
pod_labels_component
pod_labels_environment
pod_labels_webserver_system
pod_labels_webserver_farm
If you're using Nginx in a non-Kubernetes environment, create the fields:
component
environment
webserver_system
webserver_farm
pod
Step 2: Configure Nginx Logs and Metrics Collection​
Sumo Logic supports the collection of logs and metrics data from Nginx in both Kubernetes and non-Kubernetes environments. Please click on the appropriate links below based on the environment where your Nginx farms are hosted.
- Kubernetes environments
- Non-Kubernetes environments
In Kubernetes environments, we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about it here. The diagram below illustrates how data is collected from Nginx in Kubernetes environments. In the architecture shown below, there are four services that make up the metric collection pipeline: Telegraf, Telegraf Operator, Prometheus, and Sumo Logic Distribution for OpenTelemetry Collector.
The first service in the pipeline is Telegraf. Telegraf collects metrics from Nginx. Note that we’re running Telegraf in each pod we want to collect metrics from as a sidecar deployment: i.e. Telegraf runs in the same pod as the containers it monitors. Telegraf uses the Nginx input plugin to obtain metrics. For simplicity, the diagram doesn’t show the input plugins. The injection of the Telegraf sidecar container is done by the Telegraf Operator. Prometheus pulls metrics from Telegraf and sends them to Sumo Logic Distribution for OpenTelemetry Collector, which enriches metadata and sends metrics to Sumo Logic.
In the logs pipeline, Sumo Logic Distribution for OpenTelemetry Collector collects logs written to standard out and forwards them to another instance of Sumo Logic Distribution for OpenTelemetry Collector, which enriches metadata and sends logs to Sumo Logic.
It’s assumed that you are using the latest helm chart version. If not, upgrade using the instructions here.
Configure Metrics Collection​
This section explains the steps to collect Nginx metrics from a Kubernetes environment.
In Kubernetes environments, we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about this here. Follow the steps listed below to collect metrics from a Kubernetes environment:
- Set up Kubernetes Collection with the Telegraf Operator.
- On your Nginx Pods, add the following annotations:
annotations:
telegraf.influxdata.com/class: sumologic-prometheus
prometheus.io/scrape: "true"
prometheus.io/port: "9273"
telegraf.influxdata.com/inputs: |+
[[inputs.nginx]]
urls = ["http://IP_TO_BE_CHANGED/nginx_status"]
response_timeout = "5s"
[inputs.nginx.tags]
environment="<env_TO_BE_CHANGED>"
component="webserver"
webserver_system="nginx"
webserver_farm="<nginx_TO_BE_CHANGED>"--If you haven’t defined a farm in Nginx, then enter `default` for `webserver_farm`.
Enter in values for the following parameters (marked CHANGEME
in the snippet above):
telegraf.influxdata.com/inputs
. This contains the required configuration for the Telegraf Nginx Input plugin. Please refer to this doc for more information on configuring the Nginx input plugin for Telegraf. Note: As telegraf will be run as a sidecar the host should always be localhost.- In the input plugins section, that is
[[inputs.nginx]]
:urls
- An array of Nginx stub_status URI to gather stats. This can be a comma-separated list to connect to multiple Nginx servers. Please see this doc for more information on additional parameters for configuring the Nginx input plugin for Telegraf.
- In the tags section,
[inputs.nginx.tags]
environment
. This is the deployment environment where the Nginx farm identified by the value ofservers
resides. For example: dev, prod or qa. While this value is optional we highly recommend setting it.webserver_farm
- Enter a name to identify this Nginx farm. This farm name will be shown in the Sumo Logic dashboards.
- In the input plugins section, that is
Modifying these values will cause the Sumo Logic apps to not function correctly.
telegraf.influxdata.com/class: sumologic-prometheus
. This instructs the Telegraf operator what output to use. This should not be changed.prometheus.io/scrape: "true"
. This ensures our Prometheus will scrape the metrics.prometheus.io/port: "9273"
. This tells prometheus what ports to scrape on. This should not be changed.telegraf.influxdata.com/inputs
- In the tags section, that is
[inputs.nginx.tags]
component: “webserver�
: This value is used by Sumo Logic apps to identify application components.webserver_system: “nginx�
: This value identifies the webserver system.
- In the tags section, that is
For all other parameters, see this doc for more parameters that can be configured in the Telegraf agent globally.
- Sumo Logic Kubernetes collection will automatically start collecting metrics from the pods having the labels and annotations defined in the previous step.
- Verify metrics in Sumo Logic.
Configure Logs Collection​
This section explains the steps to collect Nginx logs from a Kubernetes environment.
-
(Recommended Method) Add labels on your Nginx pods to capture logs from standard output. Make sure that the logs from Nginx are sent to stdout. Follow the instructions below to capture Nginx logs from stdout on Kubernetes.
- Apply following labels to the Nginx pod.
labels:
environment="prod_CHANGEME"
component="webserver"
webserver_system="nginx"
webserver_farm="<farm_CHANGEME>"- Enter in values for the following parameters (marked
CHANGE_ME
above):
environment
. This is the deployment environment where the Nginx farm identified by the value ofservers
resides. For example:- dev, prod, or QA. While this value is optional we highly recommend setting it.Webserver_farm
- Enter a name to identify this Nginx farm. This farm name will be shown in the Sumo Logic dashboards. If you haven’t defined a farm in Nginx, then enterdefault
forwebserver_farm
.
Do not modify these valuesModifying these values will cause the Sumo Logic apps to not function correctly.
component “webserver�
- This value is used by Sumo Logic apps to identify application components.webserver_system: “nginx�
- This value identifies the database system.
For all other parameters, see this doc for more parameters that can be configured in the Telegraf agent globally.
- The Sumologic-Kubernetes-Collection will automatically capture the logs from stdout and will send the logs to Sumologic. For more information on deploying Sumologic-Kubernetes-Collection, visit here.
- Verify logs in Sumo Logic.
-
(Optional) Collecting Nginx Logs from a Log File. Follow the steps below to capture Nginx logs from a log file on Kubernetes.
- Determine the location of the Nginx log file on Kubernetes. This can be determined from the nginx.conf for your nginx farm along with the mounts on the Nginx pods.
- Install the Sumo Logic tailing sidecar operator.
- Add the following annotation in addition to the existing annotations.
annotations:
tailing-sidecar: sidecarconfig;<mount>:<path_of_nginx_log_file>/<Nginx_log_file_name>Example:
annotations:
tailing-sidecar: sidecarconfig;data:/var/log/nginx/error.log- Make sure that the Nginx pods are running and annotations are applied by using the command:
kubectl describe pod <nginx_pod_name>
- Sumo Logic Kubernetes collection will automatically start collecting logs from the pods having the annotations defined above.
- Verify logs in Sumo Logic.
-
Add an FER to normalize the fields in Kubernetes environments. Labels created in Kubernetes environments automatically are prefixed with pod_labels. To normalize these for our app to work, we need to create a Field Extraction Rule if not already created for Proxy Application Components. To do so:
- Classic UI. In the main Sumo Logic menu, select Manage Data > Logs > Field Extraction Rules.
New UI. In the top menu select Configuration, and then under Logs select Field Extraction Rules. You can also click the Go To... menu at the top of the screen and select Field Extraction Rules. - Click the + Add button on the top right of the table.
- The Add Field Extraction Rule form will appear.
- Enter the following options:
- Rule Name. Enter the name as App Observability - Webserver.
- Applied At. Choose Ingest Time.
- Scope. Select Specific Data.
- Scope: Enter the following keyword search expression.
pod_labels_environment=* pod_labels_component=webserver pod_labels_webserver_farm=* pod_labels_webserver_system=*
- Parse Expression. Enter the following parse expression.
if (!isEmpty(pod_labels_environment), pod_labels_environment, "") as environment
| pod_labels_component as component
| pod_labels_webserver_system as webserver_system
| pod_labels_webserver_farm as webserver_farm- Click Save to create the rule.
- Classic UI. In the main Sumo Logic menu, select Manage Data > Logs > Field Extraction Rules.
Sumo Logic uses the Telegraf operator for Nginx metric collection and the Installed Collector for collecting Nginx logs. The diagram below illustrates the components of the Nginx collection in a non-Kubernetes environment.
Telegraf uses the Nginx input plugin to obtain Nginx metrics and the Sumo Logic output plugin to send the metrics to Sumo Logic. Logs from Nginx are collected by a Local File Source.
The process to set up collection for Nginx data is done through the following steps.
Configure Logs Collection​
Nginx app supports the default access logs and error logs format.
- Configure logging in Nginx. Before you can configure Sumo Logic to ingest logs, you must configure the logging of errors and processed requests in NGINX Open Source and NGINX Plus. For instructions, refer to the following documentation
- Configure an Installed Collector. If you have not already done so, install and configure an installed collector for Windows by following the documentation.
- Configure a Collector Use one of the following Sumo Logic Collector options:
- To collect logs directly from the Nginx machine, configure an Installed Collector.
- If you're using a service like Fluentd, or you would like to upload your logs manually, Create a Hosted Collector.
- Configure a local file source. Choose a method:
For an Installed Collector
To collect logs directly from your Nginx machine, use an Installed Collector and a Local File Source.
- Add a Local File Source.
- Configure the Local File Source fields as follows:
- Name. (Required)
- Description. (Optional)
- File Path (Required). Enter the path to your error.log or access.log. The files are typically located in /var/log/nginx/error.log. If you're using a customized path, check the nginx.conf file for this information. If you're using Passenger, you may have instructed Passenger to log to a specific log using the passenger_log_file option.
- Source Host. Sumo Logic uses the hostname assigned by the OS unless you enter a different hostname.
- Source Category. Enter any string to tag the output collected from this Source, such as Nginx/Access or Nginx/Error. (The Source Category metadata field is a fundamental building block to organize and label Sources. For details, see Best Practices.)
- Fields. Add the following fields, as shown in the screenshot below.
component = webserver
webserver_system = nginx
webserver_farm = <Your_nginx_farm_Name> #Use Default if you do not have one.
environment = <Your_Environment_Name> #i.e., Dev, QA, or Prod - Configure the Advanced section:
- Enable Timestamp Parsing. Select Extract timestamp information from log file entries.
- Time Zone. Automatically detect.
- Timestamp Format. The timestamp format is automatically detected.
- Encoding. Select UTF-8 (Default).
- Enable Multiline Processing.
- Error logs. Select Detect messages spanning multiple lines and Infer Boundaries - Detect message boundaries automatically.
- Access logs. These are single-line logs, uncheck Detect messages spanning multiple lines.
- Click Save.
For a Hosted Collector
If you're using a service like Fluentd, or you would like to upload your logs manually, use a Hosted Collector and an HTTP Source.
- Add an HTTP Source.
- Configure the HTTP Source fields as follows:
- Name. (Required)
- Description. (Optional)
- Source Host. Sumo Logic uses the hostname assigned by the OS unless you enter a different hostname.
- Source Category. Enter any string to tag the output collected from this Source, such as Nginx/Access or Nginx/Error. (The Source Category metadata field is a fundamental building block to organize and label Sources. For details, see Best Practices.)
- Configure the Advanced section:
- Enable Timestamp Parsing. Select Extract timestamp information from log file entries.
- Time Zone. For Access logs, use the time zone from the log file. For Error logs, make sure to select the correct time zone.
- Timestamp Format. The timestamp format is automatically detected.
- Enable Multiline Processing.
- Error logs: Select Detect messages spanning multiple lines and Infer Boundaries - Detect message boundaries automatically.
- Access logs: These are single-line logs, uncheck Detect messages spanning multiple lines.
- Click Save.
- When the URL associated with the HTTP Source is displayed, copy the URL so you can add it to the service you are using, such as Fluentd.
Configure Metrics Collection​
Set up a Sumo Logic HTTP Source​
- Configure a Hosted Collector for Metrics. To create a new Sumo Logic hosted collector, perform the steps in the Create a Hosted Collector documentation.
- Configure an HTTP Logs & Metrics source:
- On the created Hosted Collector on the Collection Management screen, select Add Source.
- Select HTTP Logs & Metrics.
- Name. (Required). Enter a name for the source.
- Description. (Optional).
- Source Category (Recommended). Be sure to follow the Best Practices for Source Categories. A recommended Source Category may be Prod/Webserver/Nginx/Metrics.
- Select Save.
- Take note of the URL provided once you click Save. You can retrieve it again by selecting the Show URL next to the source on the Collection Management screen.
Set up Telegraf​
- Install Telegraf if you haven’t already. Use the following steps to install Telegraf.
- Configure and start Telegraf.
- As part of collecting metrics data from Telegraf, we will use the nginx input plugin to get data from Telegraf and the Sumo Logic output plugin to send data to Sumo Logic.
Create or modify telegraf.conf
and copy and paste the text below:
[[inputs.nginx]]
urls = ["http://IP_TO_BE_CHANGED/nginx_status"]
response_timeout = "5s"
[inputs.nginx.tags]
environment="env_TO_BE_CHANGED"
component="webserver"
webserver_system="nginx"
webserver_farm="<nginx_TO_BE_CHANGED>"
[[outputs.sumologic]]
url = "<URL_from_HTTP_Logs_and_Metrics_Source>"
data_format = "prometheus"
Enter values for fields annotated with <VALUE_TO_BE_CHANGED>
to the appropriate values. Do not include the brackets (< >
) in your final configuration
- Input plugins section, which is
[[inputs.nginx]]
:urls
- An array of Nginx stub_status URI to gather stats. For more information on additional parameters to configure the Nginx input plugin for Telegraf see this doc.
- In the tags section, which is
[inputs.nginx.tags]
:environment
. This is the deployment environment where the Nginx farm identified by the value of servers resides. For example; dev, prod, or QA. While this value is optional we highly recommend setting it.webserver_farm
- Enter a name to identify this Nginx farm. This farm name will be shown in our dashboards.
- In the output plugins section, which is
[[outputs.sumologic]]
:URL
- This is the HTTP source URL created previously. See this doc for more information on additional parameters for configuring the Sumo Logic Telegraf output plugin.
Here’s an explanation for additional values set by this Telegraf configuration.
If you haven’t defined a farm in Nginx, then enter default
for webserver_farm
.
There are additional values set by the Telegraf configuration. We recommend not to modify these values as they might cause the Sumo Logic app to not function correctly.
data_format: “prometheus�
. In the output[[outputs.sumologic]]
plugins section. Metrics are sent in the Prometheus format to Sumo Logic.Component - “webserver�
- In the input[[inputs.nginx]]
plugins section. This value is used by Sumo Logic apps to identify application components.webserver_system - “nginx�
- In the input plugins sections. This value identifies the webserver system.
See this doc for all other parameters that can be configured in the Telegraf agent globally.
After you have finalized your telegraf.conf
file, you can start or reload the telegraf service using instructions from this doc.
At this point, Telegraf should start collecting the Nginx metrics and forward them to the Sumo Logic HTTP Source.
Installing Nginx Monitors​
- To install these alerts, you need to have the Manage Monitors role capability.
- Alerts can be installed by either importing a JSON file or a Terraform script.
To view the full list, see Nginx. There are limits to how many alerts can be enabled - see the Alerts FAQ for detail.
Method A: Importing a JSON file​
- Download the JSON file that describes the monitors.
- This JSON file contains the alerts that are based on Sumo Logic searches that do not have any scope filters and therefore will be applicable to all Nginx farms, the data for which has been collected via the instructions in the previous sections. However, if you would like to restrict these alerts to specific farms or environments, update the JSON file by replacing the text
webserver_system=nginx
with<Your Custom Filter>
. Custom filter examples:- For alerts applicable only to a specific farm, your custom filter would be
webserver_farm=nginx-standalone.01
. - For alerts applicable to all farms that start with nginx-standalone, your custom filter would be
webserver_system=nginx-standalone*
. - For alerts applicable to a specific farm within a production environment, your custom filter would be,
webserver_farm=nginx-1
andenvironment=standalone
. This assumes you have set the optional environment tag while configuring collection.
- For alerts applicable only to a specific farm, your custom filter would be
- Classic UI. In the main Sumo Logic menu, select Manage Data > Monitoring > Monitors.
New UI. In the main Sumo Logic menu, select Alerts > Monitors. You can also click the Go To... menu at the top of the screen and select Monitors. - Click Add.
- Click Import and then copy-paste the above JSON to import monitors.
The monitors are disabled by default. Once you have installed the alerts using this method, navigate to the Nginx folder under Monitors to configure them. See the Monitors document to enable monitors to send notifications to teams or connections. See the instructions detailed in Step 4 of this document.
Method B: Using a Terraform script​
- Generate a Sumo Logic access key and ID Generate an access key and access ID for a user that has the Manage Monitors role capability in Sumo Logic using instructions in Access Keys. Identify which deployment your Sumo Logic account is in, using this link.
- Download and install Terraform 0.13 or later
- Download the Sumo Logic Terraform package for Nginx alerts The alerts package is available in the Sumo Logic GitHub repository. You can either download it through the “git clone� command or as a zip file.
- Alert Configuration After the package has been extracted, navigate to the package directory
terraform-sumologic-sumo-logic-monitor/monitor_packages/Nginx/
.- Edit the nginx.auto.tfvars file and add the Sumo Logic Access Key, Access Id and Deployment from Step 1.
access_id = "<SUMOLOGIC ACCESS ID>" \
access_key = "<SUMOLOGIC ACCESS KEY>" \
environment = "<SUMOLOGIC DEPLOYMENT>"- The Terraform script installs the alerts without any scope filters, if you would like to restrict the alerts to specific farms or environments, update the variable
nginx_data_source
. Custom filter examples: - A specific farm
webserver_farm=nginx.standalone.01
. - All farms in an environment
environment=standalone
. - For alerts applicable to all farms that start with
nginx-standalone
, your custom filter would bewebserver_farm=nginx-standalone*
. - For alerts applicable to a specific farm within a production environment, your custom filter would be
webserver_system=nginx-1
andenvironment=standalone
(This assumes you have set the optional environment tag while configuring collection). All monitors are disabled by default on installation, if you would like to enable all the monitors, set the parameter monitors_disabled to false in this file.
By default, the monitors are configured in a monitor folder called “Nginx�, if you would like to change the name of the folder, update the monitor folder name in “folder� key at nginx.auto.tfvars
file.
- If you would like the alerts to send email or connection notifications, configure the file nginx_notifications.auto.tfvars and populate
connection_notifications
andemail_notifications
as per below examples.
connection_notifications = [
{
connection_type = "PagerDuty",
connection_id = "<CONNECTION_ID>",
payload_override = "{\"service_key\": \"your_pagerduty_api_integration_key\",\"event_type\": \"trigger\",\"description\": \"Alert: Triggered {{TriggerType}} for Monitor {{Name}}\",\"client\": \"Sumo Logic\",\"client_url\": \"{{QueryUrl}}\"}",
run_for_trigger_types = ["Critical", "ResolvedCritical"]
},
{
connection_type = "Webhook",
connection_id = "<CONNECTION_ID>",
payload_override = "",
run_for_trigger_types = ["Critical", "ResolvedCritical"]
}
]
Replace <CONNECTION_ID>
with the connection id of the webhook connection. The webhook connection id can be retrieved by calling the Monitors API.
For overriding payload for different connection types, refer to this document.
email_notifications = [
{
connection_type = "Email",
recipients = ["abc@example.com"],
subject = "Monitor Alert: {{TriggerType}} on {{Name}}",
time_zone = "PST",
message_body = "Triggered {{TriggerType}} Alert on {{Name}}: {{QueryURL}}",
run_for_trigger_types = ["Critical", "ResolvedCritical"]
}
]
- Install the Alerts
- Navigate to the package directory terraform-sumologic-sumo-logic-monitor/monitor_packages/Nginx/ and run
terraform init.
This will initialize Terraform and will download the required components. - Run
terraform plan
to view the monitors which will be created/modified by Terraform. - Run
terraform apply
.
- Navigate to the package directory terraform-sumologic-sumo-logic-monitor/monitor_packages/Nginx/ and run
- Post Installation If you haven’t enabled alerts and/or configured notifications through the Terraform procedure outlined above, we highly recommend enabling alerts of interest and configuring each enabled alert to send notifications to other users or services. This is detailed in Step 4 of this document.
There are limits to how many alerts can be enabled. See the Alerts FAQ.
Installing the Nginx app​
This section demonstrates how to install the Nginx app.
- From the App Catalog, search for and select the Nginx app.
- Select the version of the service you're using and click Add to Library.
note
Version selection is not available for all apps.
- To install the app, complete the following fields.
- App Name. You can retain the existing name, or enter a name of your choice for the app.
- Data Source. Choose Enter a Custom Data Filter, and enter a custom Nginx farm filter. Examples:
- For all Nginx farms,
webserver_farm=*
. - For a specific farm,
webserver_farm=nginx.dev.01
. - Farms within a specific environment,
webserver_farm=nginx.dev.01
andenvironment=prod
. (This assumes you have set the optional environment tag while configuring collection).
- For all Nginx farms,
- Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
Viewing Nginx Dashboards​
Template variables provide dynamic dashboards that can rescope data on the fly. As you apply variables to troubleshoot through your dashboard, you view dynamic changes to the data for a quicker resolution to the root cause. You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
Overview​
The Nginx - Overview dashboard provides an at-a-glance view of the NGINX server access locations, error logs along with connection metrics.
Use this dashboard to:
- Gain insights into originated traffic location by region. This can help you allocate computer resources to different regions according to their needs.
- Gain insights into your Nginx health using Critical Errors and Status of Nginx Server.
- Get insights into Active and dropped connection.
Error Logs​
The Nginx - Error Logs Analysis dashboard provides a high-level view of log level breakdowns, comparisons, and trends. The panels also show the geographic locations of clients and clients with critical messages, new connections and outliers, client requests, request trends, and request outliers.
Use this dashboard to:
- Track requests from clients. A request is a message asking for a resource, such as a page or an image.
- Track and view client geographic locations generating errors.
- Track critical alerts and emergency error alerts.
Trends​
The Nginx - Logs Timeline Analysis dashboard provides a high-level view of the activity and health of Nginx servers on your network. Dashboard panels display visual graphs and detailed information on traffic volume and distribution, responses over time, as well as time comparisons for visitor locations and server hits.
Use this dashboard to:
- To understand the traffic distribution across servers, provide insights for resource planning by analyzing data volume and bytes served.
- Gain insights into originated traffic location by region. This can help you allocate compute resources to different regions according to their needs.
Outlier Analysis​
The Nginx - Outlier Analysis dashboard provides a high-level view of Nginx server outlier metrics for bytes served, number of visitors, and server errors. You can select the time interval over which outliers are aggregated, then hover the cursor over the graph to display detailed information for that point in time.
Use this dashboard to:
- Detect outliers in your infrastructure with Sumo Logic’s machine learning algorithm.
- To identify outliers in incoming traffic and the number of errors encountered by your servers.
You can use schedule searches to send alerts to yourself whenever there is an outlier detected by Sumo Logic.
Threat Intel​
The Nginx - Threat Intel dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
- To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the Sumo - Crowdstrikes threat feed.
Web Server Operations​
The Nginx - Web Server Operations dashboard provides a high-level view combined with detailed information on the top ten bots, geographic locations, and data for clients with high error rates, server errors over time, and non 200 response code status codes. Dashboard panels also show information on server error logs, error log levels, error responses by a server, and the top URIs responsible for 404 responses.
Use this dashboard to:
- Gain insights into Client, Server Responses on Nginx Server. This helps you identify errors in Nginx Server.
- To identify geo-locations of all Client errors. This helps you identify client location causing errors and helps you to block client IPs.
Visitor Access Types​
The Nginx - Visitor Access Types dashboard provides insights into visitor platform types, browsers, and operating systems, as well as the most popular mobile devices, PC and Mac versions used.
Use this dashboard to:
- Understand which platform and browsers are used to gain access to your infrastructure.
- These insights can be useful for planning in which browsers, platforms, and operating systems (OS) should be supported by different software services.
Visitor Locations​
The Nginx - Visitor Locations dashboard provides a high-level view of Nginx visitor geographic locations both worldwide and in the United States. Dashboard panels also show graphic trends for visits by country over time and visits by US region over time.
Use this dashboard to:
- Gain insights into geographic locations of your user base. This is useful for resource planning in different regions across the globe.
Visitor Traffic Insight​
The Nginx - Visitor Traffic Insight dashboard provides detailed information on the top documents accessed, top referrers, top search terms from popular search engines, and the media types served.
Use this dashboard to:
- To understand the type of content that is frequently requested by users.
- It helps in allocating IT resources according to the content types.
Connections and Requests Metrics​
The Nginx - Connections and Requests Metrics dashboard provides insight into active, dropped connections, reading, writing, and waiting requests.
Use this dashboard to:
- Gain information about active and dropped connections. This helps you identify the connection rejected by Nginx Server.
- Gain information about the total requests handled by Nginx Server per second. This helps you understand read, write requests on Nginx Server.
Nginx Alerts​
Sumo Logic has provided out-of-the-box alerts available through Sumo Logic monitors to help you quickly determine if the Nginx server is available and performing as expected. These alerts are built based on logs and metrics datasets and have preset thresholds based on industry best practices and recommendations. They are as follows:
Alert Type (Metrics/Logs) | Alert Name | Alert Description | Trigger Type (Critical / Warning) | Alert Condition | Recover Condition |
---|---|---|---|---|---|
Logs | Nginx - Access from Highly Malicious Sources | This alert fires when an Nginx server is accessed from highly malicious IP addresses. | Critical | > 0 | < = 0 |
Logs | Nginx - High Client (HTTP 4xx) Error Rate | This alert fires when there are too many HTTP requests (>5%) with a response status of 4xx. | Critical | > 0 | 0 |
Logs | Nginx - High Server (HTTP 5xx) Error Rate | This alert fires when there are too many HTTP requests (>5%) with a response status of 5xx. | Critical | > 0 | 0 |
Logs | Nginx - Critical Error Messages | This alert fires when we detect critical error messages for a given Nginx server. | Critical | > 0 | 0 |
Metrics | Nginx - Dropped Connections | This alert fires when we detect dropped connections for a given Nginx server. | Critical | > 0 | 0 |