From 9547868c7d8bb88ad626653eb4ef7db1403c2543 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 17:40:05 +0100 Subject: [PATCH] Send nginx logs to local syslog --- roles/nginx/tasks/main.yml | 18 ++++++++++++++++++ .../nginx/conf.d/extended_log.conf.j2 | 7 +++++++ .../nginx/sites-available/redirect.j2 | 8 ++++++++ .../nginx/sites-available/reverseproxy.j2 | 4 ++++ .../reverseproxy_redirect_dname.j2 | 4 ++++ .../templates/nginx/sites-available/service.j2 | 9 +++++++++ .../templates/nginx/snippets/syslog.conf.j2 | 4 ++++ 7 files changed, 54 insertions(+) create mode 100644 roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 create mode 100644 roles/nginx/templates/nginx/snippets/syslog.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 210c7f0..a8fb885 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -29,6 +29,24 @@ dest: "/etc/nginx/sites-enabled/default" state: absent +- name: Add 'extended' log format + template: + src: nginx/conf.d/extended_log.conf.j2 + dest: /etc/nginx/conf.d/extended_log.conf + owner: root + group: root + mode: 0644 + notify: Reload nginx + +- name: Add syslog snippet + template: + src: nginx/snippets/syslog.conf.j2 + dest: /etc/nginx/snippets/syslog.conf + owner: root + group: root + mode: 0644 + notify: Reload nginx + - name: Copy reverse proxy sites when: reverseproxy is defined template: diff --git a/roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 b/roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 new file mode 100644 index 0000000..b28809f --- /dev/null +++ b/roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 @@ -0,0 +1,7 @@ +{{ ansible_managed | comment }} + +log_format extended + '$remote_addr - $http_x_forwarded_for - $connection ' + '$remote_user [$time_local] ' + '"$host" "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; diff --git a/roles/nginx/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2 index 2543400..9e8e687 100644 --- a/roles/nginx/templates/nginx/sites-available/redirect.j2 +++ b/roles/nginx/templates/nginx/sites-available/redirect.j2 @@ -8,6 +8,8 @@ server { server_name {{ site.from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -25,6 +27,8 @@ server { server_name {{ site.from }}; + include "/etc/nginx/snippets/syslog.conf"; + # SSL common conf include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; @@ -52,6 +56,8 @@ server { server_name {{ from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -72,6 +78,8 @@ server { # SSL common conf include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 index ae2d7a6..699d6d5 100644 --- a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 @@ -15,6 +15,8 @@ server { server_name {{ site.from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -39,6 +41,8 @@ server { access_log /var/log/nginx/{{ site.from }}.log; error_log /var/log/nginx/{{ site.from }}_error.log; + include "/etc/nginx/snippets/syslog.conf"; + # Keep the TCP connection open a bit for faster browsing keepalive_timeout 70; diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 index 819fd7a..f90d53b 100644 --- a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -12,6 +12,8 @@ server { server_name {{ from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -29,6 +31,8 @@ server { server_name {{ from }}; + include "/etc/nginx/snippets/syslog.conf"; + # SSL common conf include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2 index 39f25eb..77c3d74 100644 --- a/roles/nginx/templates/nginx/sites-available/service.j2 +++ b/roles/nginx/templates/nginx/sites-available/service.j2 @@ -19,6 +19,9 @@ upstream {{ upstream.name }} { server { listen 443 default_server ssl; listen [::]:443 default_server ssl; + + include "/etc/nginx/snippets/syslog.conf"; + include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf"; server_name _; @@ -50,6 +53,8 @@ server { # Hide Nginx version server_tokens off; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -71,6 +76,8 @@ server { server_name {{ server.server_name|join(" ") }}; charset utf-8; + include "/etc/nginx/snippets/syslog.conf"; + # Hide Nginx version server_tokens off; @@ -98,6 +105,8 @@ server { server_name {{ server.server_name|join(" ") }}; charset utf-8; + include "/etc/nginx/snippets/syslog.conf"; + # Hide Nginx version server_tokens off; diff --git a/roles/nginx/templates/nginx/snippets/syslog.conf.j2 b/roles/nginx/templates/nginx/snippets/syslog.conf.j2 new file mode 100644 index 0000000..b34867c --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/syslog.conf.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment }} + +access_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=info extended; +error_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=error;