NGINX LOGS – Full Guide 2020:
Monitoring, Analyzing and Troubleshooting Your NGINX Logs
Life is about making choices: Coke or Pepsi? Beatles or Stones? Mac or PC?
In the world of web servers, the choice used to be between open-source Apache and Microsoft’s IIS.
Back in 2004, when everybody had lost interest in the World Wide Web, an upstart web server appeared out of nowhere.
Now, just over fifteen years later, NGINX has been rapidly rising in popularity and currently has a 30.8% of the webserver market compared to Apache’s 44.1%.
This has led many to speculate that NGINX has a good chance of stealing Apache’s crown and becoming the dominant web platform.
NGINX may be faster and more powerful than its competitors, however, no matter the advantages of NGINX over Apache (or its lesser-known rivals), it requires care and feeding to get the most out of it.
In this article, we explain how the log files generated by the NGINX web server are an important factor in keeping your web sites and apps running 24/7.
tl;dr: We will show you how to effectively use NGINX logs to monitor, troubleshoot, protect, and fix your web server.
We will also show you how you can gain crucial insights in minutes, using XpoLog.
Can’t wait? Want to see NGINX insights now?
XpoLog collects & parses Nginx logs automatically, and offers you ready-to-use dashboards and reports, monitors, automated problem detection and much more!
What is NGINX?
A Web Server is a backend application that receives requests and responds by sending back data or files.
These requests are sent by web browsers or other applications using the HypertextTransfer Protocol (HTTP), and the web server responds using the same protocol to return data in a range of formats, including text, XML, JSON, JPG, PNG, and various video formats.
Since the early days of the web, Apache was the dominant web server, so why is everybody suddenly switching to NGINX, especially since both platforms do an excellent job of serving static web content, such as HTML,CSS, JS?
In fact, the main difference between these two platforms is not what they do, but how they do it, and how fast they get it done.
A key factor in NGINX’s popularity is its non-threaded, event-driven architecture which means that it can manage a high number of requests with a single process asynchronously.
Pro Tip: Apart from being a lot faster and less resource-hungry than its competition, NGINX also provides a number of built-in features, such as load balancing, HTTP caching, and a reverse features that other web servers require external modules.
NGINX Logs – Logging Basics
Despite their internal differences, NGINX and Apache operate in almost the same way.
When it comes to logging, both provide similar features, so it is hard to discuss NGINX without mentioning Apache.
Like Apache, by default, NGINX provides two types of logs, an NGINX access log, and and NGINX error log.
** Learn more about Apache error logs and Apache access logs analysis and monitoring.
NGINX access logs
As its name suggests, the access log collects data relating to external parties, such as web browsers or other types of software trying to access your web server.
Specifically, this log records incoming HTTP requests and the status of the server’s response.
Note: This makes it an important resource for analyzing site traffic, and trying to locate potential attempts to breach your site’s security.
NGINX’s error logs
NGINX error log is where it records the errors that occurred as it tried to respond to incoming requests.
Note: These can include bugs in web-based software, broken links, or missing files.
Pro Tip: We have composed a list of NGINX errors with error number, message and meaning. You will also find how NGINX maps error logging.
When it comes to storing logged data, NGINX’s default logging paths point to the same relative system path under the installation direction:
- For Unix and Linux systems this is: logs\error.log.
- For Windows-based installations this is: logs/error.log.
If necessary, you can specify an alternative location by modifying NGINX’s configuration file.
Another similarity between Apache and NGINX is the way they store logged data, so by default NGINX supports the Common Log Format as defined in RFC 3164.
The Common Log format defines a label/nickname and associates it.
NGINX also supports the Combined Log Format.
This format is based on the Common Log Format, and combines it with the header of the HTTP access request.
NGINX lets you store log data as JSON.
In addition to storing data in files, NGINX also provides a REST API that lets you query the current state of the web server and build tools to display this information.
NGINX Logs – Logging in Depth
Before we explore how to use log files, we need to discuss the best way to extract data from them.
As with other web servers, such as Apache, NGINX’s access and error logs can give us valuable insights into the usage and functioning of an NGINX hosted website or application.
While the text-based formats that NGINX supports collect extremely valuable data, NGINX can generate enormous amounts of data when it is functioning normally.
When a problem or problems occurs, this can escalate to the point that is overwhelming.
This situation makes finding important indicators a daunting process.
When it comes to reading log files, a lot of us start by opening logs in a basic text editor, but many editors may have a hard time dealing with large log files.
Another approach is to use scripting languages, such as BASH or Powershell to parse log files.
One of the differences between NGINX and other web servers, is that NGINX is available in both free, open-source and commercial, supported versions.
NGINX Access Logs: Analyzing Activity
NGINX Access Logs give us detailed information about external requests to access our web sites.
Using the log, we can retrieve data related to:
- The remote client (IP, DNS),
- The identity of the user who made the request,
- The HTTP status code of the request,
- The date and time the request was made (timestamp).
In addition to this information, the NGINX access log gives us detailed information from the user agent that made the request.
This tells us about the application, usually browser, that sent the request, as well as information relating to the host device, such as its operating system.
Buttom line: All this information can be aggregated, and reveal much about your site’s user and traffic.
The following example shows a machine requesting data from NGINX.
66.264.464.265 – – [12/Aug/2018:00:19:44 +0000] “GET /info.php HTTP/1.1” 200 24564 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
66.264.464.265- – [12/Aug/2018:00:19:47 +0000] “GET /favicon.ico HTTP/1.1” 404 209
You can use this information for a variety of purposes:
- For a start, you can use this data to find the location and source from which server requests originated.
- The recorded logging data can indicate suspicious and malicious behavior that originated from an individual user.
- It can also indicate an attack from hackers, criminals, or other parties that originate from multiple random sources could be a sign that your site is being subjected to a distributed denial of service (DoSS) attack.
NGINX Error Logs – Troubleshooting Common Issues
As we mentioned earlier, NGINX’s error logs let you locate and resolve web server related issues.
The error logs reports errors that relate to configuration, execution, files, permissions, proxies, and session caching.
You can use this information to detect specific low level errors, or to diagnose system-wide problems.
The following example shows a problem with a request sent to NGINX.
2017/07/24 11:29:45 [notice] 22118#22118: using inherited sockets from “6;7;”
NGINX Error Logs > /var/log/nginx/error.log
Reported errors can indicate if a client was denied access to a URL or file because it did not conform to configuration file parameters.
It can also indicate that a proxy agent tried to access the server using an invalid URL. They can also show if a file a client tried to access actually exists or was not available.
Use this information for:
- You can use error logs to detect and fix low level, operational problems, such as is NGINX running, are the NGINX ports open and listening for requests, or are the correct file and directory permissions set.
- You can also use NGINX error logs to detect more complex problems, such as upstream errors which result from connection and configuration issues.
- You can also use them to diagnose 502 bad gateway errors that indicate operational issues with the NGINX host or related software problems.
How to Use the NGINX Dashboards?
NGINX’s commercial version, called NGINX Plus offers a dashboard and a range of monitoring tools.
Alternatively, you can use a log management tool such as XpoLog to automatically collect, manage, and analyze the data of your NGINX log files (or any other log).
See how easy it is – download free now.
For demonstration purposes, NGINX has provided this live demo page.
The dashboard home page gives you an overview of your NGINX installation.
Each tab includes cards and links that show a high level view of specific components.
Clicking Server Zones opens a page that monitors regarding frontend performance.
The page shows how each server is performing in its specific HTTP context.
The Upstream page displays HTTP and HTTPS traffic for each monitored server.
In the page, each server group displayed in a table that shows the performance of each server in the group.
The table has columns with request, response, connection, traffic, and server health information.
Pro Tip: Although the NGINX monitors TCP and UDP streams, it separates this data from the collected HTTP data and displays this information in different tabs. However, the information displayed in these pages is exactly the same as the HTTP pages.
The TCP/UDP zones page displays data for the load balancers managing the streams.
The TCP/UDP page displays data for servers communicate via the TCP/UDP protocols, such as postgres databases.
The dashboard provides two additional pages.
The Caches page displays a list of data caches that are stored in memory or on disk.
The Shared zones page shows memory page information (total, and used) and the proportion of web server resources used to handle each client application and entity.
Skip to section:
NGINX Plus – Good, But Not Good Enough
As useful as log files are, you will often need additional information, methods to understand, and recommendations of what to do with it.
Like other web servers, NGINX generates vast amounts of data that make it difficult to see a specific problem or detect patterns that indicate larger problems.
The NGINX Plus set of dashboards are a good place to start, but they only show you a very limited amount of information.
To really see what NGINX is doing you need a system that can ingest both static log files and real time monitoring data.
You also need a system that can aggregate and analyse your log data, show you what’s happening at the lowest possible levels and across your entire system.
This is where XpoLog, fully automated log management tool, comes in handy.
XpoLog provides a full logging service that is both simple, out-of-the-box, and powerful.
- XpoLog is designed to record log data in real-time, store the collected data, and ensure that you can detect both immediate and long term problems.
- It takes your existing log files and live streaming data to let you know what both the current status of your NGINX servers.
- In addition, it analyzes the data and visualizes it with an NGINX designated log analysis app.
- It contains a log monitoring system and a powerful AI-based log analysis engine, to detect possible problems and threat in advance.
Getting the Whole Picture Out of Your NGINX Logs, in Minutes.
Due to cloud computing, virtualization, and containers it is easy to spin up any type of server almost instantly.
This means you could easily be running hundreds or thousands of web server instances and managing multiple NGINX servers.
A view that shows you everything happening now, as well as a summary of what has been happening over the previous day, week, or month is something that is crucial in order to get things done.
From this high level view, you can drill down into specific lower level dashboard to display what is happening in specific areas of your system.
The Overview dashboard lets you choose the servers from which to visualize data, the resources, such as static files or dynamic scripts, and many other types of information.
The overview includes a summary of Status Codes Trends for all major HTTP status codes monitored by NGINX.
It also includes important measurements, such as traffic, active users, and server errors. These high level errors are color coded to indicate their current status.
In addition it provides high-level visualizations that not only show you what is happening, but where it’s happening.
This is important because in today’s world, data resides in multiple locations, so seeing what is happening and where is an important part of monitoring your NGINX web servers.
XpoLog includes a high level view of current NGINX server activity.
The Overview dashboard also visualizes other important data, such as HTTP Status code distribution, and user data.
The Overview dashboard is completely configurable, so you can decide what widgets to include, the time periods to analyze, and the organization and layout of the dashboard.
NGINX Logs Investigation – Made Easy
XpoLog is a great, highly advanced, and simple tool, for monitoring your NGINX server, analyzing and visualizing your log data (view our log analysis apps marketplace, that comes built-in with XpoLog).
It is also a great tool to aggregate data from multiple sources (we’ll talk about it in the next paragraph).
Log Viewer and Log Search Capabilities
Sometimes to truly understand what your NGINX servers are doing, you need to view log data.
XpoLog not only presents high-level graphical views, but also provides tools for viewing and analyzing log files.
This means that you can view and analyze any log files recorded by XpoLog.
Often finding this type of data, is like finding a needle in a haystack.
The good news is that XpoLog’s advanced search tools let you write search terms and advanced queries that let you find what you are looking for quickly and easily.
All your searches are saved to XpoLog’s search history and you can save and label your searches.
Each search not only returns the logged data, but also provides analytics that shows what is happening over the period of your search. The log search tool tool lets you select specific sources from which to display and analyze data.
It also lets you isolate specific error types, and when they occurred.
Clicking on the graph shows you exactly what is happening at that moment.
NGINX Logs Insights with XpoLog Analytics Tool
XpoLog’s Analytics tool aggregates data from multiple sources.
This gives a longer term historical view that shows the bigger picture.
The top of the page shows what is happening in different areas of your system.
By default, the page plots the types of issues experienced by the monitored systems. The page can also be split to display metrics, such as CPU and memory usage.
XpoLog can also combine data to display a single, summary of the entire system.
At the bottom of the page, is a list of the most severe problems recorded by XpoLog.
Everything you Need in One Place
When it comes to monitoring NGINX or any other parts of your software and hardware platforms, XpoLog has you covered.
In fact, XpoLog does so much that it’s hard to cover it all in the space available.
XpoLog can also show performance, server, user statistics and much more.
No matter what Apache data you need to monitor, XpoLog can capture it and present it. To find out more, contact XpoLog today.