Collect Nginx Access & Error Logs with Filebeat, Logstash, and Rsyslog
This guide walks through three practical methods for harvesting Nginx access and error logs—directly with Filebeat to Elasticsearch, via Filebeat‑Logstash‑Elasticsearch pipeline, and using Rsyslog to forward logs to Logstash—complete with configuration snippets and visual illustrations.
1. Directly send logs from Filebeat to Elasticsearch
Locate filebeat.yml in the Filebeat installation directory and configure the log file paths and Elasticsearch output.
- type: log
enabled: true
paths:
- /usr/local/nginx/logs/*.logStart Filebeat: ./filebeat -e -c filebeat.yml -d "publish" Verify the logs appear in Elasticsearch (e.g., via the elasticsearch‑head plugin) and are visualized in Kibana.
2. Send logs from Filebeat to Logstash, then to Elasticsearch
Install Logstash and create filebeat-pipeline.conf:
input {
beats {
port => "5044"
}
}
output {
elasticsearch {
hosts => ["172.28.65.24:9200"]
}
stdout { codec => rubydebug }
}Run Logstash:
bin/logstash -f filebeat-pipeline.conf --config.reload.automaticModify filebeat.yml to disable the Elasticsearch output and enable the Logstash output with the correct host and port.
#output.elasticsearch:
# hosts: ["localhost:9200"]
output.logstash:
hosts: ["172.28.65.24:5044"]Start Filebeat again and access the Nginx web service; the logs will flow through Logstash into Elasticsearch and be viewable in Kibana.
3. Forward Nginx logs via Rsyslog to Logstash, then to Elasticsearch
When direct Filebeat installation is not possible, configure Nginx to send logs via syslog:
access_log syslog:server=172.28.65.32:514,facility=local7,tag=nginx_access_log,severity=info;
error_log syslog:server=172.28.65.32:514,facility=local7,tag=nginx_error_log,severity=info;Set up Logstash to receive syslog input:
input {
syslog {
type => "system-syslog"
port => 514
}
}
output {
elasticsearch {
hosts => ["172.28.65.24:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
stdout { codec => rubydebug }
}Start Logstash and verify it listens on port 514. Alternatively, configure Rsyslog on the Nginx host to monitor the log files and forward them:
$ModLoad imfile
$InputFilePollInterval 1
$WorkDirectory /var/spool/rsyslog
$InputFileName /usr/local/nginx/logs/access.log
$InputFileTag nginx-access:
$InputFileStateFile stat-nginx-access
$InputFileSeverity info
$InputRunFileMonitor
$InputFileName /usr/local/nginx/logs/error.log
$InputFileTag nginx-error:
$InputFileStateFile stat-nginx-error
$InputFileSeverity error
*.* @172.28.65.32:514Restart Rsyslog, access the Nginx service, and observe the logs appearing in Logstash’s console and Elasticsearch.
The article demonstrates flexible log‑collection strategies using Filebeat, Logstash, and Rsyslog to ingest Nginx access and error logs into an ELK stack.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.