NGINX App Protect WAF Logs Overview
Learn about the NGINX App Protect WAF Logs Overview.
There are 3 types of logs that App Protect on NGINX generates:
- Security log or Request log: The HTTP requests and how App Protect processed them, including violations and signatures found.
- Operation logs: Events such as startup, shutdown and reconfiguration.
- Debug logs: technical messages at different levels of severity used to debug and resolve incidents and error behaviors.
In addition, NGINX App Protect WAF can be configured to add additional data to NGINX Access log.
Note that NGINX does not have audit logs in the sense of who did what. This can be done either from the orchestration system controlling NGINX (such as NGINX Controller) or by tracking the configuration files and the systemd invocations using Linux tools.
App Protect uses its own logging mechanism for request logging rather than NGINX’s access logging mechanism (which is NGINX’s default logging mechanism).
app_protect_security_log directive referencing
nginx.conf: http, server, location
stderr, or an absolute path to a local file are supported
error_log directive, part of core NGINX
nginx.conf - global
|Yes, NGINX error log
|Yes, NGINX error log
/etc/app_protect/bd/logger.cfg. Log file name is the redirection in the invocation of the bd command line in the start script
|Global (not part of nginx.conf)
|Yes. Log file is in
/var/log/app_protect default debug directory. No file rotation currently
NGINX App Protect WAF supports log rotation. If you already have logrotate running, NGINX App Protect WAF log files will be rotated automatically according to the configuration file described below. To install logrotate:
sudo yum install logrotate
For Debian / Ubuntu:
sudo apt-get install logrotate
sudo apk add logrotate
By default the logrotate configuration file included in NGINX App Protect WAF is:
create 644 nginx nginx
- size size - log files are rotated only if they grow larger than size.
- copytruncate - truncate the original log file in place after creating a copy, instead of moving the old log file and creating a new one.
- create mode owner group - the log file is created immediately after rotation with the permissions specified by mode. owner specifies the user name who will own the log file, and group specifies the group the log file will belong to.
- rotate count - log files are rotated count times before being removed.
You can modify the attributes and add directories to rotate in
Normally you would run logrotate periodically using a cron job. For more information about logrotate refer to Linux man page.
All logs in the
/var/log/app_protect/ folder will be rotated, including the security log, if the file destination is configured to be under this directory.
Example of configuring security log to be under
app_protect_security_log "/opt/app_protect/share/defaults/log_illegal.json" /var/log/app_protect/security.log;
The log rotation policy is provided as a default policy. Users can customize to adapt to their need.
This documentation applies to the following versions of NGINX App Protect WAF: 4.7.