Collecting Nginx Access and Error Logs with Filebeat, Logstash, and Rsyslog into Elasticsearch

Nginx is widely used as a web and reverse‑proxy server, and its access and error logs are valuable for behavior and security analysis. The article explains three ways to collect these logs and forward them to an Elasticsearch (ES) cluster for further processing and visualization.

1. Directly using Filebeat to send logs to ES – Edit filebeat.yml to enable the log input, set the paths to /usr/local/nginx/logs/*.log , and configure the Elasticsearch output with the ES hosts. After starting Filebeat, the logs appear in the filebeat‑* index and can be viewed in Kibana.

2. Using Filebeat → Logstash → ES – Install Logstash and create filebeat-pipeline.conf with a Beats input on port 5044 and an Elasticsearch output. Disable the Elasticsearch output in filebeat.yml and enable the Logstash output pointing to the Logstash host. Start Logstash and Filebeat; logs flow through Logstash, allowing preprocessing before reaching ES.

3. Using Rsyslog to forward logs to Logstash and then to ES – When direct Filebeat installation is not possible, configure Nginx to send logs via syslog or configure Rsyslog to monitor the log files. In nginx.conf set access_log syslog:server=172.28.65.32:514,… and similar for error_log . Create a Logstash pipeline ( syslog-pipeline.conf ) with a syslog input on port 514 and an Elasticsearch output. Restart services; logs are received by Logstash and indexed in ES.

All three approaches are demonstrated with configuration snippets, command lines to start services, and screenshots of Kibana and Elasticsearch‑head showing the ingested logs. The article concludes that the choice of method depends on the deployment scenario and flexibility requirements.