Guide to Transferring Nginx Logs to OpenSearch
In this guide, you will learn how to collect Nginx web server access and error logs with Fluent Bit and transmit them to OpenSearch. So you can easily analyze performance, security and user behavior in a central place.
What Will You Learn in This Guide?
- Installation of Fluent Bit
- Input settings for reading Nginx logs
- Output configuration for sending to OpenSearch
- Service initialization and verification
- Quick solutions to common problems
Requirements
Before you start, make sure you have the following ready:
- An Nginx installation running on GenixNode Virtual Server (Instance)
- OpenSearch cluster (example: logs.example.com)
1. Fluent Bit Installation
Fluent Bit; It is a lightweight tool that collects, processes and forwards logs to different targets.
You can install it with the following command:
curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh
This command downloads Fluent Bit and installs it on your server.
2. Fluent Bit Configuration
- Fluent Bit configuration files are located in the /etc/fluent-bit/ directory.
Purpose:
-
Reading Nginx access and error logs
-
Securely import to OpenSearch
2.1 Input Settings
[INPUT]
Name tail
Tag nginx.access
Path /var/log/nginx/access.log
Parser nginx
[INPUT]
Name tail
Tag nginx.error
Path /var/log/nginx/error.log
These settings follow Nginx logs and transfer them to Fluent Bit.
2.2 Output Settings – OpenSearch
Edit with your own OpenSearch information in the section below:
[OUTPUT]
Name opensearch
Match nginx.access
Host logs.ornek.com
Port 25060
HTTP_User admin
HTTP_Passwd your_password
Index fbit-nginx-access
TLS On
Suppress_Type_Name On
[OUTPUT]
Name opensearch
Match nginx.error
Host logs.ornek.com
Port 25060
HTTP_User admin
HTTP_Passwd your_password
Index fbit-nginx-error
TLS On
Suppress_Type_Name On
These settings allow logs to be sent to two different indexes (access & error).
3. Starting the Fluent Bit Service
systemctl enable fluent-bit.service
systemctl start fluent-bit.service
systemctl status fluent-bit.service
Servisi etkinleştirir, çalıştırır ve durumunu kontrol eder.
3.1 Troubleshooting
3.1.1 Connection Control
curl -u admin:your_password -X GET "https://logs.ornek.com:25060/_cat/indices?v"
Tests connection to OpenSearch.
3.1.2 Checking that Logs Are Indexed
curl -u admin:your_password -X GET "https://logs.ornek.com:25060/fbit-nginx-access/_search?pretty"
Indicates whether there is data in the relevant index.
3.1.3 Examining Fluent Bit Logs
sudo journalctl -u fluent-bit
3.1.4 Verifying Configuration
/opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf --dry-run
Checks that the configuration file is written correctly.
Frequently Asked Questions (FAQ)
1. Why is Fluent Bit preferred over Logstash? Because it is lighter, has lower RAM consumption and is faster.
2. Can I collect logs from more than one server? Yes. By installing Fluent Bit on each server, you can direct them all to the same OpenSearch indexes.
3. What does the Index setting do? It determines which logical storage the logs will be written to.
4. Can I write IP instead of host? If you are using TLS, the host name is recommended. The certificate must match.
5. Should I change the Nginx log format? No, Fluent Bit already includes Nginx-ready parsers.
Result
With this guide, you have set up the structure to successfully transfer Nginx logs to OpenSearch using Fluent Bit. In this way, it becomes much easier to monitor server behavior, detect security threats and perform performance analysis.
You can try this powerful log collection infrastructure on the GenixNode platform now.