Rename NGINX Log files for Custom CSF Regex Patterns

V

Vibe

Verified User
Joined
Aug 3, 2005
Messages
120
Hi everyone,

I am using NGINX/Apache and need to rename the the NGINX access log files (e.g. domain.com.log >>> domain.com.access.log). I have done this by editing the NGINX server templates within the DA custom templates folder. Permissions of the new log files are now set to root:root vs nginx:root. Will this cause any issues? Is there a better way to accomplish this?

Templates changed:

nginx_server.conf
nginx_server_secure.conf
nginx_server_secure_sub.conf
nginx_server_sub.conf

Thanks for any suggestions.
 
Last edited:
Does anyone monitor their users NGINX access logs using CSF? I am hoping to do so in order to implement a few custom REGEX patterns for various errors. However, I am unable to determine the best way to target user access logs due to the default filename (domain.log). I would like to differentiate between the access and error logs. I tried the following for access logs (csf.conf), however, it does not work with CSF:

# For NGINX access logs (excluding *.error.log)
CUSTOM1_LOG = "/var/log/nginx/domains/[^.]*.log"

# For NGINX error logs
CUSTOM2_LOG = "/var/log/nginx/domains/*.error.log"

The only solution I have found is to rename the log files as mentioned in my first post. Is this the proper "DA" way of doing this?
 
Why not just use as custom1 and write if/else in custom regex rules perl script.


Code: 
if ($globlogs{CUSTOM1_LOG}{$lgfile}){

    if ($lgfile =~ /\.error\.log$/){
        if ($line =~ /.*Failed login.*/){
            return ("Failed mymatch login from",$1,"mymatch","100","80,443","3600","0");
        }
    }else{
        if ($line =~ /.*Failed login 2.*/){
            return ("Failed mymatch login from",$1,"mymatch","100","80,443","3600","0");
        }
    }
}
 
Thank you for your reply Ohm - I greatly appreciate it. I believe I may need to monitor users NGINX access logs in addition to error logs. One of my servers has been targeted by Microsoft IPS for the past month (literally 100's of them). I have attached a snippet of an example user access log file showing a brute force attack. This happens repeatedly throughout the day/night causing PHP-FPM memory to overload the server - sometimes to the point where I need to reboot. It has been a game of "Whac-A-Mole" for sure. I am not running mod_security - but may need to do so if user custom regex rules are unsuccessful (no experience with mod_security). I have custom regex patterns for both the host sever (access and error logs) which effectively block IPs in CSF. I am hoping doing the same for user access and error logs will do the same. I also have custom NGINX location configs that have helped. At this point I am pulling my hair out and will be bald soon :)
 

Attachments

Then just use my example code and put your regex instead.
Don't need to separate logs, just put all error and access logs in the CUSTOM1_LOG.

I'm afraid when change the logs format, it could affect other automatics system like... log rotate from directadmin task. and other control panel page... like logs viewer.
 
Ohm, you are a champion - I never thought about doing it this way. That makes perfect sense and is much cleaner/easier - brilliant! I was also concerned about any affects it would have with permissions and log rotate etc. I am working on this right now, and you have saved me from going bald. Thank you sir!
 
You must log in or register to reply here.
Back
Top