The Wallarm user interface provides the ability to search for a number of different types of attack traffic within alert data.  More information about the supported types of searches can be found in the Wallarm documentation .

However, the search functionality of the Wallarm UI does not provide full visibility into every type of potential attack or full details of a particular alert.  If this level of visibility is necessary, then the access logs can be exported from Nginx into an ELK cluster where it is possible to perform full-text searches and other data analytics against them.  This also enables this information to be fed into other systems that the organization may be using for threat detection or threat intelligence generation and analysis.

A couple of different options exist for exporting this data from Nginx.  This article focuses on the approach of sending Nginx access logs to an ELK cluster.  Alternatively, it is possible to use the Wallarm API to extract request information, as described in this blog.

How to Export Nginx Access Logs

Sending access logs from Nginx to an ELK cluster is a multi-stage process.  In this article, we’ll focus on configuring Nginx to export the logs in the correct format and send them to a listening TCP/UDP port.  The remaining steps of the process (configuring Logstash and Elasticsearch) are well-described on the Internet, and links are provided that contain more detail on how to accomplish these steps correctly.

Step 1: Configure JSON Access Log Output

The first step in setting up the export of Nginx access logs is configuring Nginx to send the data out in the desired format.  For ease of use, we’ll be defining a JSON-based log format for the export.

The following shows the structure of a custom log format that combines some standard Nginx attributes, such as number of connection requests and response status, with some Wallarm-specific data, such as the Wallarm attack type.  More information about the standard attributes available with Nginx is available in their documentation , and the Wallarm documentation describes the set of custom attributes that Wallarm defines.

<code>log_format json_log escape=json '{
"connection_serial_number":$connection,'
'"number_of_requests":$connection_requests,'
'"response_status":"$status",'
'"body_bytes_sent":$body_bytes_sent,'
'"content_type":"$content_type",'
'"host":"$host",'
'"host_name":"$hostname",'
'"http_name":"$http_name",'
'"https":"$https",'
'"proxy_protocol_addr":"$proxy_protocol_addr",'
'"proxy_protocol_port":"$proxy_protocol_port",'
'"query_string":"$query_string",'
'"client_address":"$remote_addr",'
'"http_ar_real_proto":"$http_ar_real_proto",'
'"http_ar_real_ip":"$http_ar_real_ip",'
'"http_ar_real_country":"$http_ar_real_country",'
'"http_x_real_ip":"$http_x_real_ip",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"http_config":"$http_config",'
'"client_port":"$remote_port",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"request_time":$request_time,'
'"request_id":"$request_id",'
'"request_length":$request_length,'
'"request_method":"$request_method",'
'"request_uri":"$request_uri",'
'"request_body":"$request_body",'
'"scheme":"$scheme",'
'"server_addr":"$server_addr",'
'"server_name":"$server_name",'
'"server_port":"$server_port",'
'"server_protocol":"$server_protocol",'
'"http_user_agent":"$http_user_agent",'
'"time_local":"$time_local",'
'"time_iso":"$time_iso8601",'
'"attack":"$wallarm_attack_type",'
'"route_uri": "$upstream_http_route_uri",'
'"route_cookie": "$upstream_http_route_cookie",'
'"url":"$scheme://$host$request_uri",'
'"uri":"$uri"}';</code>

One option is to use fluentd to perform the transfer.  After saving the log file as a text file, a local copy of fluentd can be used to perform the transfer.  For more information regarding this option, check out the fluentd documentation .

Alternatively, it is possible to use Nginx’s built-in syslog client to perform the log file export.  However, this option requires the receiving Logstash instance to be configured to use the syslog plugin to receive input.  If this is the case, use the following configuration to send the access logs via syslog:

access_log syslog:server=<ADDRESS_OR_DNS_OF_COLLECTOR>:<PORT>,tag=wallarm_access json_log;

Product. Advanced API Security

Product. Cloud-Native WAAP

Product. API Attack Surface Management

Solutions by Cloud

Azure

Kubernetes

Solutions by Industry

API Security for Healthcare

API Security for Fintech

API Security for Retail

API Security for Technology

Resources

Resource Library

Whitepapers

Datasheets

Case Studies

Webinars

Learning Center

Whats

Cloud Native Products 101

Glossary

Support

Featured Resources

API Security Tutorial

Top Five Challenges in Protecting APIs

A CISO’s Guide To Cloud Application Security

Evolution of Real Time Attack Detection

Wallarm For Kubernetes

2024 API ThreatStats Report

Learn Wallarm

Documentation

API specs

Terraform Provider

Terms of Services

Privacy Policy

Cookies Policy

Security Bug Bounty Program