I am trying to include a request header of name My-Key into access log
I tried to add it as "$http_My-Key":
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_My-Key" "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$request_time" "$upstream_connect_time" "$upstream_header_time" "$upstream_response_time"';
however, it access log for that header, I get this value "--Key" logged:
X.X.X.X - - [22/Jul/2020:10:26:18 +0000] "POST /v1/my/app HTTP/1.1" 404 732 "--Key" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" "X.X.X.X" "0.009" "0.004" "0.008" "0.008"
instead of the expected value my test which I sent with postman, any idea why?
Related
I am running nginx with default log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
It prints the access log in following format
1.2.3.4 - - [27/Mar/2021:09:39:43 +0000] "GET /text.txt HTTP/1.1" 200 315 "-" "curl/7.55.1" "-"
However I want the logs to print time in UTC +05:30 which is not the local time of the server. I tried adding env "TZ=Asia/Kolkata"; at the top of nginx.conf but it didn't work. Please suggest how to do this.
Regarding setting timezone in Nginx logs: Works fine; just need to set the "TZ" environment variable for nginx daemon (e.g. in the script that launches it). Or if you're using Docker, set it in the Dockerfile (or in the "environment" in docker-compose.yml file if you're using that).
My server is compiled on a docker.
The Nginx container is built from a standard assembly.
I want to read the access.log nginx but I see this kind of content:
172.68.244.173 - - [24/Aug/2018:12:14:04 +0000] "\x16\x03\x01\x00\xEC\x01\x00\x00\xE8\x03\x03\x8A?\xB5\xFA\x17?\x8A\x9B\x04T>yK\x1A\xF6\x8F_\xBE:.\xF9\xED\xF6\xEE\xFCM\xD0\x88Ji\xDD\xF5 \xFF\xBDm\x98#mo:U\xA6\x0E\xB7\x93\x02sm`\xC6\xD1s0vV*\x88y\xDA&\xFCfZ\xF4\x00\x16\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0\x13\x00\x9C\x00/\xC0(\x005\x00" 400 173 "-" "-"
How to read such a log? What does this mean?
According to nginx documentation the default access log format is:
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
Applied to your log line:
$remote_addr = 172.68.244.173
(literal string for compatibility reasons) = -
$remote_user (from Auth Header) = -
$time_local = [24/Aug/2018:12:14:04 +0000]
$request = "\x16\x03\x01\x00\xEC\x01\x00\x00\xE8\x03\x03\x8A?\xB5\xFA\x17?\x8A\x9B\x04T>yK\x1A\xF6\x8F_\xBE:.\xF9\xED\xF6\xEE\xFCM\xD0\x88Ji\xDD\xF5 \xFF\xBDm\x98#mo:U\xA6\x0E\xB7\x93\x02sm`\xC6\xD1s0vV*\x88y\xDA&\xFCfZ\xF4\x00\x16\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0\x13\x00\x9C\x00/\xC0(\x005\x00"
$status = 400
$body_bytes_sent = 173
$http_referer = "-"
$http_user_agent = "-"
To summarize: Your server received a request from the address 172.68.244.173 with no user agent header sent and the request consisted of mostly non-printable characters. Slight possibility this is a broken client sending a bad request, more likely it's an attempt to discover a vulnerability in your web server or application. This will happen often to any server on the internet.
Sometimes Nginx $upstream_response_time returns 2 values.
xxx.xxx.xxx.xxx - - [08/Nov/2017:23:43:25 +0900] "GET /xxxxxxxxxxxx HTTP/2.0" 200 284 "https://xxxxxxxxxxx" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" "-" "0.015" "0.001, 0.014"
"0.001, 0.014" this is a $upstream_response_time.
Why does this has two values?
Log format:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$request_time" "$upstream_response_time"';
Note that this is spelled out in the documentation:
Times of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
This means that it made multiple requests to a backend, most likely you either have a bare proxy_pass host that resolves to different IPs (frequently the case with something like Amazon ELB as an origin), are you have a configured upstream that has multiple servers. Unless disabled, the proxy module will make round robin attempts against all healthy backends. This can be configured from proxy_next_upstream_* directives.
For example if this is not the desired behavior, you can just do:
proxy_next_upstream off;
How can I (or why can't I) add the $host variable to my nginx configuration file to see what domain (or subdomain) a client is requesting?
Current Format:
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$host" "$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
Current Output:
10.7.2.104 - - [17/Feb/2017:14:31:15 -0600] "GET /crazystairs HTTP/1.1" 404 2327 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
Desired Ouput:
10.7.2.104 - - [17/Feb/2017:14:31:15 -0600] "GET example.com/crazystairs HTTP/1.1" 404 2327 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
Notice the host in front of the request
I found the problem. You must declare main after setting the directory where the log will be saved for the main format to be used.
access_log logs/crazystairs/portal/access.log main;
I use custom log format for my nginx server that look like the following:
log_format combine '$remote_addr - $remote_user [$time_local] "$request" $http_host '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$upstream_addr" "$upstream_status" $upstream_cache_status "$upstream_http_content_type" "$upstream_response_time" > $request_time';
All works fine ut sometimes I get the very strange empty logs:
[13/Mar/2014:08:09:22 +0400] "-" 400 0 "-" "-"
What does it mean?
It's unfinished request. Probably someone connected to you server but fails to ask a request for some reason.
Try following command:
telnet yousite.com 80
ctrl-c
E.g:
$ telnet localhost 2002
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> Connection closed.
and my log:
[13/Mar/2014:11:29:54 +0400] - 127.0.0.1 "-" 400 "-" "-" "-" "-" "-" - [proxy (-) : - - ] 0 "-" 0.000