Skip to main content

Nginx Plus

Thumbnail icon

The Sumo Logic app for Nginx Plus supports logs as well as Metrics for Nginx Plus, which is a web server that can be used as a reverse proxy, load balancer, mail proxy, and HTTP cache.

The Nginx Plus app is a unified logs and metrics app that helps you monitor the availability, performance, health, and resource utilization of your Nginx Plus web servers. Preconfigured dashboards and searches provide insight into server status, location zones, server zones, upstreams, resolvers, visitor locations, visitor access types, traffic patterns, errors, web server operations, and access from known malicious sources.

Log and metrics types

The Sumo Logic app for Nginx Plus assumes the NCSA extended/combined log file format for Access logs and the default Nginx error log file format for error logs.

All Dashboards (except the Error Logs Analysis dashboard) assume the Access log format. The Error Logs Analysis Dashboard assumes both access and error log formats, to correlate information between the two. For more details on Nginx/Nginx Plus logs, see Module ngx_http_log_module.

The Sumo Logic app for Nginx Plus assumes Prometheus format Metrics for Requests and Connections. For Nginx Plus Server metrics, the API Module from Nginx Configuration is used. For more details on Nginx Plus Metrics, see Module ngx_http_api_module.

Sample log messages

Access Log Example
{
	"timestamp":1620821977736,
	"log":"10.244.0.132 - - [12/May/2021:12:19:28 +0000] \"GET //demo-index.html HTTP/1.1\" 200 8777 \"-\" \"curl/7.68.0\"",
	"stream":"stdout",
	"time":"2021-05-12T12:19:28.975861476Z"
}
Error Log Example
{
	"timestamp":1620821977737,
	"log":"2021/05/12 12:19:36 [error] 7#7: *8192 upstream timed out (110: Connection timed out) while connecting to upstream, health check \"\" of peer 44.240.53.50:12345 in upstream \"stream_backend2\"",
	"stream":"stderr",
	"time":"2021-05-12T12:19:36.344706832Z"
}

Sample queries

This sample query is from the Nginx Plus - Overview dashboard > Responses Over Time panel.

_sourceCategory=Labs/Nginx/Logs
| json auto maxdepth 1 nodrop
| if (isEmpty(log), _raw, log) as nginx_log_message
| parse regex field=nginx_log_message "(?<Client_Ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| parse regex field=nginx_log_message "(?<Method>[A-Z]+)\s(?<URL>\S+)\sHTTP/[\d\.]+\"\s(?<Status_Code>\d+)\s(?<Size>[\d-]+)\s\"(?<Referrer>.*?)\"\s\"(?<User_Agent>.+?)\".*"
| where _sourceHost matches "{{Server}}" and Client_Ip matches "{{Client_Ip}}" and Method matches "{{Method}}" and URL matches "{{URL}}" and Status_Code matches "{{Status_Code}}"
| if(Status_Code matches "2*", 1, 0) as Successes
| if(Status_Code matches "3*", 1, 0) as Redirects
| if(status_code matches "4*", 1, 0) as Client_Errors
| if(Status_Code matches "5*", 1, 0) as Server_Errors
| timeslice by 5m
| sum(Successes) as Successes, sum(Client_Errors) as Client_Errors,  sum(Redirects) as Redirects, sum(Server_Errors) as Server_Errors by _timeslice
| sort by _timeslice asc

Collecting logs and metrics for Nginx Plus

This section provides instructions for configuring log and metric collection for the Sumo Logic app for Nginx Plus. Sumo Logic supports a collection of logs and metrics data from Nginx Plus in both Kubernetes and non-Kubernetes environments. Click on the appropriate links below based on the environment where your Nginx Plus servers are hosted.

For Kubernetes environments

In Kubernetes environments, we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about it here. The diagram below illustrates how data is collected from Nginx Plus in Kubernetes environments. In the architecture shown below, there are four services that make up the metric collection pipeline: Telegraf, Telegraf Operator, Prometheus, and Sumo Logic Distribution for OpenTelemetry Collector.

Web servers

The first service in the pipeline is Telegraf. Telegraf collects metrics from Nginx Plus. Note that we’re running Telegraf in each pod we want to collect metrics from as a sidecar deployment: i.e. Telegraf runs in the same pod as the containers it monitors. Telegraf uses the Nginx Plus input plugin to obtain metrics. For simplicity, the diagram doesn’t show the input plugins. The injection of the Telegraf sidecar container is done by the Telegraf Operator. Prometheus pulls metrics from Telegraf and sends them to Sumo Logic Distribution for OpenTelemetry Collector, which enriches metadata and sends metrics to Sumo Logic.

In the logs pipeline, Sumo Logic Distribution for OpenTelemetry Collector collects logs written to standard out and forwards them to another instance of Sumo Logic Distribution for OpenTelemetry Collector, which enriches metadata and sends logs to Sumo Logic.

Collect logs for Nginx Plus in Kubernetes environment

The Nginx Plus app supports the default access logs and error logs format.

  1. Before you can configure Sumo Logic to ingest logs, you must configure the logging of errors and processed requests in both Nginx Open Source and Nginx Plus. For instructions, refer to the Configuring Logging documentation.
  2. Use the Sumologic-Kubernetes-Collection, to send the logs to Sumologic. For more information, visit.
  3. Identifying the log's metadata: For example, to get Logs data from the pod, you can use the following source _sourceCategory = "kubernetes/default/nginx" where kubernetes is Cluster name, default is Namespace, nginx is application.
  4. To get log data from Nginx Pods - all nginx logs must be redirected to standard output “stdout” and standard error “stderr”.

Collect metrics for Nginx Plus in Kubernetes environment

The Nginx Plus app supports the metrics for Nginx Plus.

The following steps assume you are collecting Nginx Plus metrics from a Kubernetes environment. In Kubernetes environments, we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about this here.

  1. Before you can configure Sumo Logic to ingest metrics, you must enable the API module to expose metrics in NGINX Plus.
  2. Set up Kubernetes Collection with the Telegraf Operator.
  3. On your Nginx Plus Pods, add the following annotations to configure Telegraf. 
    annotations:
         telegraf.influxdata.com/inputs: |+
         [[inputs.nginx_plus_api]]
            urls = ["http://localhost:8080/api"]
            response_timeout = "5s"
            api_version = 6
         telegraf.influxdata.com/class: sumologic-prometheus
         prometheus.io/scrape: "true"
         prometheus.io/port: "9273"
  • telegraf.influxdata.com/inputs. This contains the required configuration for the Telegraf Nginx Plus Input plugin. Please refer to this doc for more information on configuring the Nginx input plugin for Telegraf. Note since telegraf will be run as a sidecar the host should always be localhost
  • telegraf.influxdata.com/class: sumologic-prometheus. This instructs the Telegraf operator what output to use. This should not be changed.
  • prometheus.io/scrape: "true". This ensures our Prometheus will scrape the metrics.
  • prometheus.io/port: "9273". This tells Prometheus what ports to scrape on. This should not be changed.

Installing the Nginx Plus app

This section has instructions for installing the Sumo app for Nginx Plus. The instructions assume you have already set up the collection as described above.

To install the app, do the following:

note

Next-Gen App: To install or update the app, you must be an account administrator or a user with Manage Apps, Manage Monitors, Manage Fields, Manage Metric Rules, and Manage Collectors capabilities depending upon the different content types part of the app.

  1. Select App Catalog.
  2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
  3. Click Install App.
    note

    Sometimes this button says Add Integration.

  4. Click Next in the Setup Data section.
  5. In the Configure section of your respective app, complete the following fields.
    1. Field Name. If you already have collectors and sources set up, select the configured metadata field name (eg _sourcecategory) or specify other custom metadata (eg: _collector) along with its metadata Field Value.
    2. Is K8S deployment involved. Specify if resources being monitored are partially or fully deployed on Kubernetes (K8s)
  6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query received since the panel was created. Results will not immediately be available but will be updated with full graphs and charts over time.

Viewing Nginx Plus dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Overview

The Nginx Plus - Overview dashboard provides an at-a-glance view of the Nginx Plus server access locations, error logs, and connection metrics.

Use this dashboard to:

  • Gain insights into originated traffic location by region. This can help you allocate computer resources to different regions according to their needs.
  • Gain insights into your Nginx health using Critical Errors and Status of Nginx Server.
  • Get insights into Active and dropped connections.
Nginx-Plus-Overview

Error Logs Analysis

The Nginx Plus - Error Logs Analysis dashboard provides a high-level view of log level breakdowns, comparisons, and trends. The panels also show the geographic locations of clients and clients with critical messages, new connections, and outliers, client requests, request trends, and request outliers.

Use this dashboard to:

  • Track requests from clients. A request is a message asking for a resource, such as a page or an image.
  • Track and view client geographic locations generating errors.
  • Track critical alerts and emergency error alerts.
Nginx-Plus-Error-Logs-Analysis

Logs Timeline Analysis

The Nginx Plus - Logs Timeline Analysis dashboard provides a high-level view of the activity and health of Nginx servers on your network. Dashboard panels display visual graphs and detailed information on traffic volume and distribution, responses over time, as well as time comparisons for visitor locations and server hits.

Use this dashboard to:

  • Understand the traffic distribution across servers, and provide insights for resource planning by analyzing data volume and bytes served.
  • Gain insights into originated traffic location by region. This can help you allocate compute resources to different regions according to their needs.
tk

Outlier Analysis

The Nginx Plus - Outlier Analysis dashboard provides a high-level view of Nginx server outlier metrics for bytes served, number of visitors, and server errors. You can select the time interval over which outliers are aggregated, then hover the cursor over the graph to display detailed information for that point in time.

Use this dashboard to:

  • Detects outliers in your infrastructure with Sumo Logic’s machine learning algorithm.
  • To identify outliers in incoming traffic and the number of errors encountered by your servers.

You can use schedule searches to send alerts to yourself whenever there is an outlier detected by Sumo Logic.

tk

Threat Intel

The Nginx Plus - Threat Intel dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.

Use this dashboard to:

  • To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic threat intelligence.
tk

Web Server Operations

The Nginx Plus - Web Server Operations dashboard provides a high-level view combined with detailed information on the top ten bots, geographic locations, and data for clients with high error rates, server errors over time, and non 200 response code status codes. Dashboard panels also show information on server error logs, error log levels, error responses by a server, and the top URIs responsible for 404 responses.

Use this dashboard to:

  • Gain insights into Client and Server Responses on the Nginx Server. This helps you identify errors in the Nginx Server.
  • To identify geolocations of all Client errors. This helps you identify client locations causing errors and helps you to block client IPs.
tk

Visitor Access Types

The Nginx Plus - Visitor Access Types dashboard provides insights into visitor platform types, browsers, and operating systems, as well as the most popular mobile devices, PC and Mac versions used.

Use this dashboard to:

  • Understand which platform and browsers are used to gain access to your infrastructure. These insights can be useful for planning in which browsers, platforms, and operating systems (OS) should be supported by different software services.
tk

Viitor Locations

The Nginx Plus - Visitor Locations dashboard provides a high-level view of Nginx visitor geographic locations both worldwide and in the United States. Dashboard panels also show graphic trends for visits by country over time and visits by US region over time.

Use this dashboard to:

  • Gain insights into the geographic locations of your user base. This is useful for resource planning in different regions across the globe.
tk

Visitor Traffic Insight

The Nginx Plus - Visitor Traffic Insight dashboard provides detailed information on the top documents accessed, top referrers, top search terms from popular search engines, and the media types served.

Use this dashboard to:

  • To understand the type of content that is frequently requested by users.
  • It helps in allocating IT resources according to the content types.
tk

Caches

The Nginx Plus - Caches dashboard provides insight into cache states, cache hit rate, and cache disk usage over time.

Use this dashboard to:

  • Gain information about the number of caches used, how many of them are in an active (hot) state and what is the hit rate of the cache.
  • Gain information about how much disk space is used for cache.
tk

HTTP Location Zones

The Nginx Plus - HTTP Location Zones dashboard provides detailed statistics on the frontend performance, showing traffic speed, responses/requests count, and various error responses.

Use this dashboard to:

  • Gain information about Location HTTP zones traffic: received and sent; speed, requires/responses amount, discarded traffic.
  • Gain information about Location HTTP zones error responses: percentage of responses by the server, percentage of each type of error responses.
tk

HTTP Server Zones

The Nginx Plus - HTTP Server Zones dashboard provides detailed statistics on the frontend performance, showing traffic speed, responses/requests count, and various error responses.

Use this dashboard to:

  • Gain information about Server HTTP zones traffic: received and sent; speed, requires/responses amount, discarded traffic.
  • Gain information about Server HTTP zones error responses: percentage of responses by server, percentage of each type of error response.
tk

HTTP Upstreams

The Nginx Plus - HTTP Upstreams dashboard provides information about each upstream group for HTTP and HTTPS traffic, showing the number of HTTP upstreams, servers, backup servers, error responses, and health monitoring.

Use this dashboard to:

  • Gain information about HTTP upstreams, servers, and backup servers.
  • Gain information about HTTP upstream traffic: received and sent; speed, requires/responses amount, downtime, and response time.
  • Gain information about HTTP upstream error responses: percentage of responses by the server, percentage of each type of error response.
  • Gain information about HTTP upstream health monitoring.
tk

Resolvers

The Nginx Plus - Resolvers dashboard provides DNS server statistics of requests and responses per each DNS status zone.

Use this dashboard to:

  • Gain information about the total number of zones, responses, and request speed.
  • Gain information about error responses by each type of error.
tk

TCP/UDP Upstreams

The Nginx Plus - TCP/UDP Upstreams dashboard provides information about each upstream group for TCP and UDP traffic, showing the number of TCP and UDP upstreams, servers, backup servers, error responses, and health monitoring.

Use this dashboard to:

  • Gain information about TCP and UDP upstreams, servers, and backup servers.
  • Gain information about TCP and UDP upstream traffic: received and sent; speed, requests/responses amount, downtime, and response time.
  • Gain information about TCP and UDP upstream error responses: percentage of responses by the server, percentage of each type of error response.
  • Gain information about TCP and UDP upstream health monitoring.
tk

TCP/UDP Zones

The Nginx Plus - TCP/UDP Zones dashboard provides TCP and UDP status zones with charts for connection limiting.

Use this dashboard to:

  • Gain information about TCP and UDP traffic: received and sent; speed, requires/responses amount, discarded traffic.
  • Gain information about TCP and UDP error responses: percentage of responses by the server, percentage of each type of error response.
tk

Create monitors for Nginx Plus app

From your App Catalog:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Make sure the app is installed.
  4. Navigate to What's Included tab and scroll down to the Monitors section.
  5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
  6. Scroll down to Monitor Details.
  7. Under Location click on New Folder.
    note

    By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

  8. Enter Folder Name. Folder Description is optional.
    tip

    Using app version in the folder name will be helpful to determine the versioning for future updates.

  9. Click Create. Once the folder is created, click on Save.

Nginx Plus alerts

Here are the alerts available for Nginx Plus (click to expand).
NameDescriptionAlert ConditionRecover Condition
Nginx Plus - Dropped ConnectionsThis alert fires when we detect dropped connections for a given Nginx Plus server.> 0< = 0
Nginx Plus - Critical Error MessagesThis alert fires when we detect critical error messages for a given Nginx Plus server.> 0< = 0
Nginx Plus - Access from Highly Malicious SourcesThis alert fires when a Nginx Plus is accessed from highly malicious IP addresses.> 0< = 0
Nginx Plus - High Client (HTTP 4xx) Error RateThis alert fires when there are too many HTTP requests (>5%) with a response status of 4xx.> 0< = 0
Nginx Plus - High Server (HTTP 5xx) Error RateThis alert fires when there are too many HTTP requests (>5%) with a response status of 5xx.> 0< = 0
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.