Enable Logging (Deprecated)

Learn how to enable and configure logging

Warning:
This is no longer the recommended way to enable and export NGINX logs. To learn more about the recommended way, See Enable NGINX Logs

Overview

NGINXaaS for Azure supports exporting error and access logs to an Azure Storage account or sending logs to a syslog server using error_log and access_log directives.

Setting Up Error Logs

By default, the error log in NGINXaaS for Azure is located at the path /var/log/nginx/error.log and logs messages with severity error and above. This can be overridden to use a preferred filename and severity level. For instance, to log error logs to /var/log/nginx/nginx-error.log with a severity level of emerg, the directive in the NGINX config can be specified as:

error_log /var/log/nginx/nginx-error.log emerg;

To disable error logs completely, the directive should be configured as:

error_log /dev/null;

To learn more about how to specify error_log in different configuration levels and their effect, see error_log

Setting Up Access Logs

NGINX access logs are disabled by default. You can enable access logs by adding access_log directives to your NGINX configuration to specify the location of the logs and formats.

http {
    log_format myfmt '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" "$gzip_ratio"';

    access_log /var/log/nginx/nginx-access.log myfmt;
    ...
}
Note:
It is recommended that log lines include the datetime for the purpose of ordering logs after being exported. The $time_local variable provides an easy way to include this in the log format that is used.

To explicitly disable access logs, the following config can be applied:

http {
    access_log off;
}

or

http {
    access_log /dev/null;
}

To learn more about how to specify access_log in different configuration levels and their effect, see access_log

Warning:
When not using syslog, the configured path for nginx logs has to be within /var/log/nginx. If the log directives are configured to log to other file path locations, they will not be scraped, leading to a loss of log data.

Logging to syslog

NGINXaaS for Azure allows configuring log directives with the syslog: which can be a domain name or an IP address. For more information about how to configure the error_log and access_log directives for syslog see Logging to syslog.

Note:
Since the log traffic sent to syslog is unencrypted, it is strongly recommended that the syslog server be in the same VNet as the NGINXaaS for Azure deployment or one that is peered with the VNet where the NGINXaaS for Azure deployment is on.

Logging to Azure Storage

Pre-requisites

  • An Azure storage account container. Ensure that the storage account is in the same region as the NGINX Deployment resource.

    • Storage account firewall should remain in the default “disabled” state.
  • A user assigned or a system assigned identity. Ensure that the identity has Storage Blob Data Contributor access to the storage container.

  • User must be an owner or user access administrator for the NGINX deployment resource.

Enable Logging to Azure Storage

  1. Go to your NGINXaaS for Azure deployment.

  2. Select NGINX logs in the left menu.

  3. Enable Send to a storage account.

  4. Enter the details on the form, including the Subscription, Storage Account, and Container.

    Enable NGINX Logs
  5. Select the Save button.

Each exported log will be written in the specified storage container with the following format: <nginx-log-path>/YYYY/MM/DD/HH/<counter>.log

Attribute Description
<nginx-log-path> The path of the logs as configured while setting up error_log and access_log directives
YYYY The four-digit year when the log batch was generated.
MM The two-digit month when the log batch was generated.
DD The two-digit day when the log batch was generated.
HH The two-digit hour value that indicates the starting hour for the log batch, in 24 hour UTC format
<counter> A four-digit counter that indicates the number of blobs generated for NGINX in the given hour time period.
Note:
It can take up to 30 seconds after enabling or updating the logging support with the storage information for logs to appear in the provided Azure Storage container.

Disable Logging to Azure Storage

  1. Go to your NGINXaaS for Azure deployment.

  2. Select NGINX logs in the left menu.

  3. Uncheck Send to a storage account.

  4. Select the Save button.

Limitations

  1. The gzip parameter for the access_log directive is not supported, and uploading a config with this parameter will cause an error.
  2. Logging error_log to a cyclic memory buffer using the memory: prefix is not allowed and will cause a config upload error.
  3. Exporting logs to syslog server with a Unix-domain socket path is not allowed and will cause a config upload error.
  4. Egress Networking charges apply for traffic sent from the NGINX deployment to a syslog server present in a different VNet.
  5. Logs exported to Azure Blob Storage are stored in blobs based on the hour bucket of the day in which they are generated. However, there is no guarantee of strict ordering of log lines within a given blob. For access_log directives, if a newly defined log_format is used, it is strongly recommended to include the timestamp as part of the log format to identify and order logs after exporting them.
  6. Ingesting logs into Log Analytics from Azure Blob Storage directly is not supported. For more information on ingesting logs into Log Analytics manually using the Azure Logs Ingestion API, see the Logs Ingestion API in Azure Monitor documentation.