Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

NGINX Web Server

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 6.4.0

Vendor Version Tested: Not Provided

 

Vendor: NGINX

Product: Web Server

Product Informationhttps://www.nginx.com/products/

 

The following protocols are used to discover and monitor various aspects of the NGINX webserver.

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, Memory utilization

Performance Monitoring

Syslog

W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "nginx" to see the event types associated with this device. 

Configuration

Syslog via Rsyslog

To use rsyslog to collect and send NGINX logs via syslog, take the following steps:

Notes

  • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

  • For steps 4 and 5, change the path as required to direct it to your access.log and error.log files.

  • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

  1. Locate the NGINX error and access log files. Here is a typical location:

    /var/log/nginx/access.log

    /var/log/nginx/error.log

  2. Locate rsyslog.conf file. Here is the typical location:

    /etc/rsyslog.conf

  3. Add the imfile module to rsyslog.conf file.

    Note: If imfile is already loaded, do not add it again.

    module(load="imfile" PollingInterval="10")

  4. Add the following to your rsyslog.conf file for NGINX access log.

    input(type="imfile" File="/var/log/nginx/access.log"

    Tag="nginx_AccessLog:"

    Severity="info"

    Facility="local6")

  5. Add the following to your ryslog.conf file for NGINX error log.

    input(type="imfile" File="/var/log/nginx/error.log"

    Tag="nginx_ErrorLog:"

    Severity="error"

    Facility="local6")

  6. Send local6 to SIEM by adding the following to your rsyslog.conf file.

    local6.* @<FortiSIEM collector IP or hostname>

  7. Restart rsyslog by running the following command.

    systemctl restart rsyslog

  8. Confirm that logs are arriving. Ensure your firewall(s) allows UDP 514 inbound to target IP.

NGINX Sample Log

<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.  

Syslog via NGINX Config File

FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Reference the NGINX guide here: http://nginx.org/en/docs/syslog.html

  • For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
  • For Port, enter 514.
  • Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Directives for Syslog Configuration
error_log syslog:server=192.0.2.0:514 debug;
access_log syslog:server=192.0.2.0:514,facility=local6,tag=nginx,severity=info combined;
Example NGINX Syslog
<29>Jun 15 07:59:03 ny-n1-p2 nginx: "192.0.2.0","-","Mozilla/5.0 (Windows NT 5.1 WOW64; rv:9.0.1) Gecko/20100178 Firefox/9.0.1","/images/design/header-2-logo.jpg","GET","http://wm-center.com/images/design/header-2-logo.jpg","200","0","/ypf-cookie_auth/index.html","0.000","877","-","198.51.100.0","80","wm-center.com","no-cache, no-store, must-revalidate","-","1.64","_","-","-" 

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>

NGINX Web Server

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 6.4.0

Vendor Version Tested: Not Provided

 

Vendor: NGINX

Product: Web Server

Product Informationhttps://www.nginx.com/products/

 

The following protocols are used to discover and monitor various aspects of the NGINX webserver.

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Application type

Process level metrics: CPU utilization, Memory utilization

Performance Monitoring

Syslog

W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "nginx" to see the event types associated with this device. 

Configuration

Syslog via Rsyslog

To use rsyslog to collect and send NGINX logs via syslog, take the following steps:

Notes

  • Rsyslog Tag= is case sensitive, so ensure it is entered properly.

  • For steps 4 and 5, change the path as required to direct it to your access.log and error.log files.

  • For step 6, replace <FortiSIEM collector IP or hostname> with your actual FortiSIEM collector IP or hostname.

  1. Locate the NGINX error and access log files. Here is a typical location:

    /var/log/nginx/access.log

    /var/log/nginx/error.log

  2. Locate rsyslog.conf file. Here is the typical location:

    /etc/rsyslog.conf

  3. Add the imfile module to rsyslog.conf file.

    Note: If imfile is already loaded, do not add it again.

    module(load="imfile" PollingInterval="10")

  4. Add the following to your rsyslog.conf file for NGINX access log.

    input(type="imfile" File="/var/log/nginx/access.log"

    Tag="nginx_AccessLog:"

    Severity="info"

    Facility="local6")

  5. Add the following to your ryslog.conf file for NGINX error log.

    input(type="imfile" File="/var/log/nginx/error.log"

    Tag="nginx_ErrorLog:"

    Severity="error"

    Facility="local6")

  6. Send local6 to SIEM by adding the following to your rsyslog.conf file.

    local6.* @<FortiSIEM collector IP or hostname>

  7. Restart rsyslog by running the following command.

    systemctl restart rsyslog

  8. Confirm that logs are arriving. Ensure your firewall(s) allows UDP 514 inbound to target IP.

NGINX Sample Log

<179>Mar 22 00:41:50 lab1.example.com Apache_AccessLog: 192.0.20.0 - - [22/Mar/2022:00:41:48 +0000] "POST /phoenix/rest/h5/rt/start2?t=t1647909924028&s=333078424F54496950533135435470487275415A5974705451387635564B39496D4949717865776A HTTP/1.1" 200 36
SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.  

Syslog via NGINX Config File

FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Reference the NGINX guide here: http://nginx.org/en/docs/syslog.html

  • For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
  • For Port, enter 514.
  • Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Directives for Syslog Configuration
error_log syslog:server=192.0.2.0:514 debug;
access_log syslog:server=192.0.2.0:514,facility=local6,tag=nginx,severity=info combined;
Example NGINX Syslog
<29>Jun 15 07:59:03 ny-n1-p2 nginx: "192.0.2.0","-","Mozilla/5.0 (Windows NT 5.1 WOW64; rv:9.0.1) Gecko/20100178 Firefox/9.0.1","/images/design/header-2-logo.jpg","GET","http://wm-center.com/images/design/header-2-logo.jpg","200","0","/ypf-cookie_auth/index.html","0.000","877","-","198.51.100.0","80","wm-center.com","no-cache, no-store, must-revalidate","-","1.64","_","-","-" 

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>