How to Collect Nginx Access & Error Logs with Filebeat, Logstash, and Rsyslog
Learn step‑by‑step how to gather Nginx access and error logs using Filebeat, Logstash, and rsyslog, configure each component to forward logs to Elasticsearch, visualize them in Kibana, and choose the most suitable pipeline for flexible log preprocessing and storage.
Because Nginx is widely used as an HTTP and reverse‑proxy server, its access and error logs are valuable for user‑behavior and security analysis. This article demonstrates several practical ways to collect those logs and ship them to Elasticsearch for further processing.
1. Directly collect Nginx logs to Elasticsearch with Filebeat
Configure filebeat.yml to read the log files and output them to ES.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /usr/local/nginx/logs/*.log
#- c:\programdata\elasticsearch\logs\*Start Filebeat: ./filebeat -e -c filebeat.yml -d "publish" After Filebeat runs, the logs appear in Elasticsearch and can be visualized in Kibana.
2. Use Filebeat → Logstash → Elasticsearch
Insert Logstash between Filebeat and Elasticsearch to enable preprocessing.
input {
beats {
port => "5044"
}
}
output {
elasticsearch { hosts => ["172.28.65.24:9200"] }
stdout { codec => rubydebug }
}Start Logstash with automatic config reload:
bin/logstash -f filebeat-pipeline.conf --config.reload.automaticAdjust filebeat.yml to send data to Logstash instead of ES.
3. Directly collect logs via rsyslog → Logstash → Elasticsearch
When the target server cannot install Filebeat, forward Nginx logs through syslog.
Configure Nginx to send logs via syslog:
access_log syslog:server=172.28.65.32:514,facility=local7,tag=nginx_access_log,severity=info;
error_log syslog:server=172.28.65.32:514,facility=local7,tag=nginx_error_log,severity=info;Logstash syslog pipeline:
input {
syslog {
type => "system-syslog"
port => 514
}
}
output {
elasticsearch {
hosts => ["172.28.65.24:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
stdout { codec => rubydebug }
}Start Logstash:
bin/logstash -f syslog-pipeline.conf --config.reload.automaticAlternatively, use rsyslog on the Nginx host to read the log files and forward them:
$ModLoad imfile
$InputFilePollInterval 1
$WorkDirectory /var/spool/rsyslog
$PrivDropToGroup adm
# Nginx access log
$InputFileName /usr/local/nginx/logs/access.log
$InputFileTag nginx-access:
$InputFileStateFile stat-nginx-access
$InputFileSeverity info
$InputFilePersistStateInterval 25000
$InputRunFileMonitor
# Nginx error log
$InputFileName /usr/local/nginx/logs/error.log
$InputFileTag nginx-error:
$InputFileStateFile stat-nginx-error
$InputFileSeverity error
$InputFilePersistStateInterval 25000
$InputRunFileMonitor
*.* @172.28.65:514Restart rsyslog: systemctl restart rsyslog After the services are running, accessing the Nginx web page (e.g., http://172.28.65.32/) shows the corresponding logs in both Logstash console and Elasticsearch, which can be inspected via Kibana or the Elasticsearch‑head plugin.
In summary, depending on the environment you can choose a direct Filebeat‑to‑ES pipeline, a Filebeat‑Logstash‑ES pipeline for richer preprocessing, or an rsyslog‑Logstash‑ES pipeline when Filebeat cannot be installed.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.