Skip to content

Integration with NGINX

This guide walks you through setting up real-time log monitoring for NGINX using Fluent Bit and OpenObserve.

Overview

By default, NGINX logs in a custom format that isn’t ideal for log analytics. This guide helps you convert logs into structured JSON, then forward them to OpenObserve using Fluent Bit.

Steps to Integrate

Prerequisites
Step 1: Configure NGINX to Emit JSON Logs
  1. Open your NGINX configuration file:

    sudo vi /etc/nginx/nginx.conf
    

    On macOS: /opt/homebrew/etc/nginx/nginx.conf

  2. Add the following log_format inside the http block:

    log_format json_combined escape=json '{"@timestamp":"$time_iso8601",'
    '"remote_addr":"$remote_addr",'
    '"request":"$request",'
    '"status":"$status",'
    '"body_bytes_sent":"$body_bytes_sent",'
    '"http_referer":"$http_referer",'
    '"http_user_agent":"$http_user_agent"}';
    
    access_log /var/log/nginx/access.log json_combined;
    

    Adjust the path if needed (e.g., /opt/homebrew/var/log/nginx/access.log on macOS)

  3. Restart or reload NGINX:

    sudo systemctl reload nginx
    # or
    sudo nginx -s reload
    

Step 2: Install Fluent Bit
  1. Install Fluent Bit:

    # Ubuntu/Debian
    curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh
    
    # macOS
    brew install fluent-bit
    

  2. Verify installation:

    fluent-bit --version
    

Step 3: Configure Fluent Bit for NGINX Logs
  1. Create a config file:

    vi nginx-fluent-bit.conf
    

  2. Paste the configuration below:

    [INPUT]
        Name tail
        Path /var/log/nginx/access.log
        Tag nginx-access
        DB /var/log/fluent-bit-nginx-access.db
        Mem_Buf_Limit 5MB
        Skip_Long_Lines On
    
    [OUTPUT]
        Name http
        Match *
        Host localhost
        Port 5080
        URI /api/default/default/_json
        Format json
        Json_date_key    _timestamp
        Json_date_format iso8601
        HTTP_User <YOUR_USERNAME>
        HTTP_Passwd <YOUR_PASSWORD>
        tls Off
        compress gzip
    

    • Adjust the access log path if you're using macOS (/opt/homebrew/var/...)
    • Replace <YOUR_PASSWORD> with your OpenObserve password.
      Openobserve-Fluent Bit
Step 4: Start Fluent Bit
  1. Run Fluent Bit with your config:

    fluent-bit -c nginx-fluent-bit.conf
    
    Start Fluent Bit

  2. Optionally, run in verbose mode for debugging:

    fluent-bit -c nginx-fluent-bit.conf -vv
    

Step 5: Verify Logs in Openobserve
  1. In your Openobserve instance, Go to Logs → select your log stream → Set time range → Click Run Query
  2. You should see logs in JSON format, like:
    {
      "_timestamp": 1729109276178847,
      "log": {
        "@timestamp": "2024-10-16T15:07:55-05:00",
        "remote_addr": "127.0.0.1",
        "request": "GET / HTTP/1.1",
        "status": "200",
        "body_bytes_sent": "615",
        "http_referer": "",
        "http_user_agent": "curl/8.7.1"
      }
    }
    
    Verify Logs in Openobserve

Troubleshooting

No logs appearing in OpenObserve?
  • Check Fluent Bit is running and not erroring:
    fluent-bit -c nginx-fluent-bit.conf -vv
  • Validate HTTP output settings (host, user, password, URI)
  • Confirm the log path exists and is readable
NGINX access log not updating?
  • Tail the log file to check for updates:

    tail -f /var/log/nginx/access.log
    

  • Ensure NGINX reloads after config changes

  • Use traffic generation script to populate logs
Fluent Bit not reading logs?
  • Check if tail input path is correct
  • Ensure permission to read the access log
  • Delete or reset the .db file if state is stale