NGINX¶
About¶
NGINX [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server.
Product Details¶
Vendor URL: NGINX
Product Type: proxy server
Product Tier: Tier III
Integration Method: Syslog
Integration URL: NGINX - Logging to syslog
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: NGINX
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| NGINX | metadata.vendor_name |
| SyslogMessage | principal.asset.ip |
| SyslogMessage | principal.port |
| SyslogMessage | principal.user.userid |
| HostIP | observer.asset.ip |
| HostName | observer.asset.hostname |
| TenantId | principal.asset.product_object_id |
| ProcessName | principal.process.file.full_path |
| ProcessID | principal.process.pid |
| SourceSystem | principal.platform |
| SeverityLevel | security_result.severity |
| SyslogMessage | security_result.description |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all | GENERIC_EVENT |
Log Sample¶
{"Computer":"localhost","EventTime":"2022-04-12T19:08:45.0000000Z","Facility":"auth","HostIP":"127.0.0.1","HostName":"localhost","MG":"00000000-0000-0000-0000-00000000000","ProcessID":1234,"ProcessName":"systemd-logind","SeverityLevel":"info","SourceSystem":"Linux","SyslogMessage":"New session AAAA of user root.","TenantId":"aaaaaaa-bbbb-cccc-dddd-eeeeeeeee","TimeGenerated":"2022-04-12T19:08:45.0670000Z","Type":"Syslog","_Internal_WorkspaceResourceId":"/subscriptions/aaaaaaa-bbbb-cccc-dddd-eeeeeeeee/resourcegroups/groupname/providers/microsoft.operationalinsights/workspaces/logs","_ResourceId":"/subscriptions/aaaaaaa-bbbb-cccc-dddd-eeeeeeeee/resourceGroups/name/providers/Microsoft.Compute/virtualMachines/object_id"}
Sample Parsing¶
metadata.event_timestamp = "2022-04-12T19:11:56.185840Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "NGINX"
principal.user.userid = "root"
principal.process.pid = "1234"
principal.process.file.full_path = "systemd-logind"
principal.platform = "LINUX"
principal.asset.product_object_id = "aaaaaaa-bbbb-cccc-dddd-eeeeeeeee"
observer.asset.hostname = "localhost"
observer.asset.ip = "127.0.0.1"
security_result.description = "New session AAAA of user root."
security_result.severity = "INFORMATIONAL"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon