PricingDocsBlogBook a Demo
Log inSign Up

Forwarding nginx Access and Error Logs

Configure nginx to output structured JSON logs and forward them to Purl for real-time monitoring, alerting on error spikes, and request analysis.

Prerequisites

  • nginx installed and running
  • Purl instance accessible from the nginx server
  • Fluent Bit or Vector installed (for log forwarding)
1

Configure JSON Log Format

First, configure nginx to output access logs in JSON format. This makes parsing in Purl automatic — no grok patterns needed.

nginx.conf
http {
    log_format json_combined escape=json
        '{'
            '"timestamp":"$time_iso8601",'
            '"remote_addr":"$remote_addr",'
            '"request_method":"$request_method",'
            '"request_uri":"$request_uri",'
            '"status":$status,'
            '"body_bytes_sent":$body_bytes_sent,'
            '"request_time":$request_time,'
            '"http_referrer":"$http_referer",'
            '"http_user_agent":"$http_user_agent",'
            '"upstream_response_time":"$upstream_response_time"'
        '}';

    access_log /var/log/nginx/access.log json_combined;
    error_log  /var/log/nginx/error.log warn;
}
2

Forward with Fluent Bit

Use Fluent Bit to tail both the access and error log files and forward them to Purl.

fluent-bit.conf
[SERVICE]
    Flush         5
    Daemon        Off
    Log_Level     info

[INPUT]
    Name          tail
    Tag           nginx.access
    Path          /var/log/nginx/access.log
    Parser        json
    Refresh_Interval  5

[INPUT]
    Name          tail
    Tag           nginx.error
    Path          /var/log/nginx/error.log
    Refresh_Interval  5

[FILTER]
    Name          modify
    Match         nginx.*
    Add           source nginx

[OUTPUT]
    Name          http
    Match         *
    Host          your-purl-host
    Port          3000
    URI           /api/v1/logs
    Format        json
    Header        X-API-Key your-api-key
    Header        Content-Type application/json
3

Set Up Pipeline Parsing

Create a Purl pipeline rule to extract structured fields from nginx error logs. Access logs are already JSON, so they're parsed automatically.

Pipeline Rule (in Purl UI)
# For nginx error logs, use regex extraction:
# Pattern: (?P<timestamp>[\d/:]+ [\d:]+) \[(?P<level>\w+)\] (?P<message>.+)
#
# This extracts:
# - timestamp: 2026/02/18 10:30:00
# - level: error, warn, notice, etc.
# - message: the actual error message
#
# Navigate to Settings → Pipelines → Create Rule
# Source filter: source = "nginx"
# Rule type: regex
# Apply to: message field
4

Create Alerts

Set up alerts for critical nginx events — 5xx error spikes, high response times, or specific error patterns.

Example Alert Rules
# Alert: High 5xx Error Rate
# Query: source:nginx AND status:>=500
# Threshold: > 10 matches in 5 minutes
# Channel: Slack #ops-alerts

# Alert: Slow Upstream Response
# Query: source:nginx AND upstream_response_time:>5
# Threshold: > 5 matches in 1 minute
# Channel: Telegram

Pro Tip

Use Purl's pattern detection to automatically discover common error patterns in your nginx logs. Navigate to Patterns in the dashboard — Purl will group similar log entries and show you the most frequent patterns.

← Back to all guides