Full NGINX Plus Logs in Sumo Logic

You enabled the additional logging per the NGINX documentation for Amplify and now you want to have all the metrics show up in Sumo Logic; right?

Here’s what you came for:

_sourceCategory="NGINX Plus"
| parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\"\s\"(?\S+)\"\s\"(?\S+)\"\ssn=\"(?\S+)\"\srt=(?\S+)\sua=\"(?\S+)\"\sus=\"(?\S+)\"\sut=\"(?\S+)\"\sul=\"(?\S+)\"\scs=(?\S+).*"

Want to play around and learn more about RegEx? I recommend you use this site: http://regexr.com/

NGINX Log File Configuration : https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-guide.md#additional-nginx-metrics

NGINX Amplify Agent on Ubuntu LTS 16

mkdir ~/NGINX-Amplify
cd ~/NGINX-Amplify
curl -L -O https://github.com/nginxinc/nginx-amplify-agent/raw/master/packages/install.sh
sudo apt-get install python-software-properties python2.7
sudo API_KEY='USEYOURKEY' sh ./install.sh

The Output

--- This script will install the NGINX Amplify Agent ---

1. Checking admin user ... root, ok.
2. Checking API key ... using YOURAPIKEY
3. Checking python version ... found python 2.7
4. Checking OS compatibility ... ubuntu detected.
5. Adding public key ... done.
6. Adding repository ... added.
7. Updating repository ...

Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease
Ign:5 https://packages.amplify.nginx.com/ubuntu xenial InRelease
Get:6 https://packages.amplify.nginx.com/ubuntu xenial Release [2,526 B]
Get:7 https://packages.amplify.nginx.com/ubuntu xenial Release.gpg [287 B]
Get:8 https://packages.amplify.nginx.com/ubuntu xenial/amplify-agent amd64 Packages [1,744 B]
Get:9 https://packages.amplify.nginx.com/ubuntu xenial/amplify-agent i386 Packages [1,741 B]
Fetched 101 kB in 0s (113 kB/s)
Reading package lists... Done

7. Updating repository ... done.
8. Installing package ...

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
Need to get 3,590 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 https://packages.amplify.nginx.com/ubuntu xenial/amplify-agent amd64 nginx-amplify-agent amd64 0.39-2~xenial [3,590 kB]
Fetched 3,590 kB in 3s (1,026 kB/s)
Selecting previously unselected package nginx-amplify-agent.
(Reading database ... 60211 files and directories currently installed.)
Preparing to unpack .../nginx-amplify-agent_0.39-2~xenial_amd64.deb ...
Unpacking nginx-amplify-agent (0.39-2~xenial) ...
Processing triggers for systemd (229-4ubuntu8) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up nginx-amplify-agent (0.39-2~xenial) ...

8. Installing package ... done.
9. Building configuration file ... done.
10. Checking if sudo -u nginx can be used for tests ... done.
11. Checking if euid 111(nginx) can find root processes ... ok.
12. Checking if euid 111(nginx) can access I/O counters ... ok.
13. Checking connectivity to the receiver ... ok.
14. Checking system time with ntpdate(8) ... failed - no ntpdate installed!

A few checks have failed - please read the warnings above!

To start and stop the Amplify Agent type:

service amplify-agent { start | stop }

Amplify Agent log can be found here:

After the agent is launched, it might take up to 1 minute this system to appear
in the Amplify user interface.


Launching amplify-agent ...
All done.

Reject Requests without a Host Name Header on NGINX

The Objective: Reject all requests that reach the NGINX server with our a host name in its header

Why it matters: When a request is made to via IP address (http://your.add.rress.here), it will return what is determined to be the “default server” for that IP address. This is often not the desired result. The result we are going for here is to close the connect with the requesting client.

The solution: 

  1. generate a bogus cert and store it in your /etc/nginx/certs/bogus/ (or  whichever folder you use for your certificates)
  2. create a “default.conf” configuration file in your /etc/nginx/conf.d/ (or whichever folder you include in your config)
  3. add the configuration to the “default.conf” file (update it if your folders are different for certs)
  4. test your configuration (/usr/sbin/nginx -t -c /etc/nginx/nginx.conf)
  5. if all is well, restart your service (sudo service nginx restart)
  6. validate it’s working as intended

Code Sample:
server {
listen 80 default_server;
server_name "";
return 444;
server {
listen 443 default_server ssl;
server_name "";
return 444;
ssl on;
ssl_certificate /etc/nginx/certs/bogus/cert.pem;
ssl_certificate_key /etc/nginx/certs/bogus/privkey.pem;



  • http://nginx.org/en/docs/http/request_processing.html#how_to_prevent_undefined_server_names