fbpx
Back Arrow Back to All Integrations

Nginx Web Server

Nginx Web Server

Integrating Nginx Web Server With Blumira

 

Click here for the most updated version of this documentation.

 

Blumira’s modern cloud SIEM platform integrates with Nginx Web Server to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.

 

When configured, the Blumira integration with Nginx will stream security event logs to the Blumira service for automated threat detection and actionable response.

 

Get visibility, detect and respond to threats faster:

 

  • Quickly detect known and suspected threats with Blumira’s cloud-based platform
  • Reduce the noise of false-positive alerts with backend automation and fine-tuned alerting
  • Detect lateral movement across your environment with virtual honeypots
  • Get guided and actionable remediation playbooks for teams without security expertise
  • View easy-to-understand dashboards and security threat reports to help organizations meet compliance requirements

 

See how easy it is to set up Blumira with Nginx Web Servers:

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Set Up Instructions

Integrating with Nginx Web Server

To complete Log Collection for your Nginx Web Server, you must first complete the steps in Integrating with Linux Servers.  After you have completed that procedure, proceed with the steps below.

If you have a special logging configuration for your Nginx Web Server, you may need to tweak the following configuration.  If you need help, you can send your active Nginx configuration to [email protected], and we’ll make sure you get the correct configuration.

Configuring Nginx Web Server Logs

  1. Check your Nginx configuration.
    Note: As mentioned above, the following content expects that you will be logging out to /var/log/nginx/access.log and /var/log/nginx/error.log with appropriate log cycling – the Nginx default. If you have set this up in a different way through your vhosts or site configuration, you can replace the path in the later steps with those details. Generally, for default/not heavily modified configurations we would expect to see something like:

    access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
  2. Ensure the spool exists.
    Note: Rsyslog must spool the data for Nginx into a working directory. Since the previous step should already be complete which uses the same directory, this should not often be an issue.  However, to avoid potential logging failures, run the following command to ensure that the folder defined below exists:

    sudo ls /var/spool/rsyslog

    If you receive a No such file or directory error, run the following command:

    sudo mkdir -v /var/spool/rsyslog
if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then
   sudo chown -R syslog:adm /var/spool/rsyslog
fi
  3. Open or create the new Blumira Apache log configuration file: 
    sudo vim /etc/rsyslog.d/25-nginx.conf

    (Optional) You can also use nano, emacs, or your preferred text editor.  The file must be located at /etc/rsyslog.d/25-nginx.conf.

    Copy and paste the following content into the file:

    # Prep
$ModLoad imfile
$InputFilePollInterval 10 
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Apache Access File:
$InputFileName /var/log/nginx/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Apache Error File: 
$InputFileName /var/log/nginx/error.log
$InputFileTag apache-error:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Tag, Forward to BLUNIX System Logger then Stop
if $programname == 'apache-access' then stop
if $programname == 'apache-error' then stop

    As mentioned above, you can change the paths of the Access and Error file if they are located at a different path on your system.

  4. Restart the rsyslog service to start processing Nginx data via the new configuration. 
    sudo /etc/init.d/rsyslog restart

    or

    sudo service rsyslog restart