IBM Cloud Docs
NGINX extension

NGINX extension

In IBM® Cloud Logs, you can use the NGINX extension to gain insights into your nginx logs.

Before you begin

With this extension, you can create a dashboard designed to visualize and analyze logs from nginx instances.

When deploying the extension you will need to select:

  • applicationName: The application name is the environment that produces and sends logs to IBM Cloud Logs.
  • subsystemName: The subsystem name is the service or application that produces and sends logs to IBM Cloud Logs.

What this extension deploys

This extension includes one or more items.

Items included when extension is deployed
Includes Number
Alerts 8
Dashboards 1
Enrichments 0
Events to metrics 1
Rules 1
Views 0

Before deploying this extension, make sure that deploying the extension will not cause you to exceed limits for your IBM Cloud Logs instance. If deploying the extension results in limits being exceeded, the deployment will fail.

Deploying the extension

You can deploy this extension in any IBM Cloud Logs instance that collects nginx logs. This extension includes a set of pre-configured resources that help you monitor critical metrics, identify anomalies, and optimize your system's performance.

For more information about deploying the extension, see Deploying, managing, and removing IBM Cloud Logs extensions.

After deploying, verify that the extension configuration handles data in a way that matches your IBM Cloud Logs instance TCO configuration. Alerts, dashboards, and events to metrics are features available for data handled through the Analyze and alert and the Priority insights data pipelines. After you deploy the extension, make sure the configuration meets your needs. For example, if you have TCO policies sending data to the Analyze and alert pipeline, you will need to change the dashboard configured by this extension to use Analyze and Alert data instead of Priority insights.

Parsing rule

You can use the provided parsing rule to parse and extract log data to prepare for monitoring and analysis.

This extension assumes a certain structure for nginx logs. After deploying this extension you might need to change the deployed parsing rule. Make sure you keep the same fields names for the equivalent text values. For example, client_ip for the client, status_code for the request status, request_uri for the request url, user_agent for the actual user agent within the request, and so on.

The parsing rule:

  • Parses nginx logs sent as JSON validating and correcting the format.
  • Parses unstructured nginx logs into JSON format.
  • Extracts the log timestamp into the IBM Cloud Logs JSON timestamp.
  • Extracts the nginx status_code into the IBM Cloud Logs severity.

Dashboards

One dashboard is provided providing data about nginx logs including:

  • Events over time
  • Status
  • Request methods over time
  • Top source IPs
  • Top request methods
  • Top request methods by status

Alerts

You can deploy any of the following alerts:

  • More than usual 4xx responses
  • Slow HTTP Denial of Service attack (DoS): Alerts when a large amount of data is sent slowly in an HTTP POST request.
  • More than usual non-GET/Post requests
  • A new non-browser user-agent detected
  • More than usual 5xx responses
  • High ratio of 5xx responses over 8%
  • High ratio of 4xx responses over 12%
  • NGINX - No logs from NGINX: Alerts if there are no nginx logs in the last 4 hours.

Events to metrics

Events to metrics are configured to extract data from status_code, method, and client_ip.