How to Collect Nginx Access and Error Logs with Filebeat, Logstash, and Rsyslog
This guide demonstrates multiple ways to gather Nginx access and error logs—directly with Filebeat to Elasticsearch, via Filebeat to Logstash then Elasticsearch, and using rsyslog to forward logs to Logstash—providing step‑by‑step configurations, code snippets, and visual illustrations for each method.
1. Directly collect logs with Filebeat to Elasticsearch
Locate filebeat.yml in the Filebeat installation directory and configure the log file paths and Elasticsearch output.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /usr/local/nginx/logs/*.logConfigure the Elasticsearch hosts in the output.elasticsearch section and start Filebeat: ./filebeat -e -c filebeat.yml -d "publish" Use the elasticsearch‑head plugin or Kibana to verify that both access.log and error.log have been indexed.
2. Collect logs via Filebeat to Logstash, then to Elasticsearch
Install Logstash and create filebeat-pipeline.conf:
input {
beats {
port => "5044"
}
}
output {
elasticsearch { hosts => ["172.28.65.24:9200"] }
stdout { codec => rubydebug }
}Start Logstash with automatic config reload:
bin/logstash -f filebeat-pipeline.conf --config.reload.automaticModify filebeat.yml to disable the Elasticsearch output and enable the Logstash output, pointing to the Logstash host and port.
Run Filebeat again and access the Nginx web service (e.g., http://172.28.65.32/). Logstash will display the incoming logs, and the data will appear in Elasticsearch and Kibana.
3. Collect logs via rsyslog to Logstash, then to Elasticsearch
When direct Filebeat installation is not possible, forward Nginx logs using syslog. Configure Nginx to send logs to a syslog server:
access_log syslog:server=172.28.65.32:514,facility=local7,tag=nginx_access_log,severity=info;
error_log syslog:server=172.28.65.32:514,facility=local7,tag=nginx_error_log,severity=info;Create syslog-pipeline.conf for Logstash to receive syslog data:
input {
syslog {
type => "system-syslog"
port => 514
}
}
output {
elasticsearch { hosts => ["172.28.65.24:9200"] index => "system-syslog-%{+YYYY.MM}" }
stdout { codec => rubydebug }
}Start Logstash with the configuration and verify that it listens on TCP/UDP port 514.
Alternatively, configure rsyslog on the log‑collection server to read Nginx log files and forward them to Logstash:
$IncludeConfig /etc/rsyslog.d/*.conf
$ModLoad imfile
$InputFilePollInterval 1
$WorkDirectory /var/spool/rsyslog
$PrivDropToGroup adm
$InputFileName /usr/local/nginx/logs/access.log
$InputFileTag nginx-access:
$InputFileStateFile stat-nginx-access
$InputFileSeverity info
$InputRunFileMonitor
$InputFileName /usr/local/nginx/logs/error.log
$InputFileTag nginx-error:
$InputFileStateFile stat-nginx-error
$InputFileSeverity error
$InputRunFileMonitor
*.* @172.28.65.32:514Restart rsyslog and access the Nginx service; Logstash will display the forwarded logs, which are also indexed in Elasticsearch.
All three methods provide flexible ways to ingest Nginx access and error logs into the ELK stack; choose the approach that best fits your environment.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.