To collect events from NGINX HTTP Server, configure your NGINX HTTP Server device to
forward Syslog events to QRadar®.
Procedure
-
Log in to your NGINX HTTP Server device.
-
Open the nginx.conf file.
-
Add the following LEEF format string under http block. For more
information about configuring logging, see https://docs.nginx.com/nginx/admin-guide/monitoring/logging/.
LEEF:1.0|NGINX|NGINX|$nginx_version|$status|devTime=$time_local\tdevTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\tsrc=$remote_addr\tdst=$server_addr\tdstPort=$server_port\tproto=$server_protocol\tusrName=$remote_user\trequest=$request\tbody_bytes_sent=$body_bytes_sent\thttp_referer=$http_referer\thttp_true_client_ip=$http_true_client_ip\thttp_user_agent=$http_user_agent\thttp_x_header=$http_x_header\thttp_x_forwarded_for=$http_x_forwarded_for\trequest_time=$request_time\tupstream_response_time=$upstream_response_time\tpipe=$pipe\turi_query=$query_string\turi_path=$uri\tcookie=$http_cookie
-
Add the following syslog server configuration under http block.
access_log syslog:server=QRadar_Server_IP:514,facility=Facility_Parameter qradar;
-
Save the configuration.
-
To verify the configuration, type the following command:
-
If NGINX is running, reload the configuration by typing the following command: