Custom Log Format and remote syslog

Hello!

I have a requirement to feed Gitlab nginx logs to my SIEM solution however looking for best practices about managing nginx config file now.

What are my vendor instructions are as follows:

Add this to HTTP block of nginx

LEEF:1.0|NGINX|NGINX|$nginx_version|$status|devTime=$time_local\tdevTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\tsrc=$remote_addr\tdst=$server_addr\tdstPort=$server_port\tproto=$server_protocol\tusrName=$remote_user\trequest=$request\tbody_bytes_sent=$body_bytes_sent\thttp_referer=$http_referer\thttp_true_client_ip=$http_true_client_ip\thttp_user_agent=$http_user_agent\thttp_x_header=$http_x_header\thttp_x_forwarded_for=$http_x_forwarded_for\trequest_time=$request_time\tupstream_response_time=$upstream_response_time\tpipe=$pipe\turi_query=$query_string\turi_path=$uri\tcookie=$http_cookie

So now I believe the solution in Logs on Linux package installations | GitLab. will not work - I mean option nginx[‘custom_log_format’]

Then we also need remote syslog server reference in nginx like that

access_log syslog:server=QRadar_Server_IP:514,facility=Facility_Parameter qradar;

So that’s not supported at all?

Also to make things even more complicated I need to adjust HOST entry to my X-Forwaded-For header if present so I catch real IP - that also need go to config file…

http {
    map $http_x_forwarded_for $log_ip {
        default $remote_addr;
        "~^[0-9.]+$" $http_x_forwarded_for;
    }

    log_format combined '$log_ip - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

Hence, do I have any other option besides manually hacking nginx file and gitlab ‘fixing/reverting’ it each time I reconfigure? Or somebody can think about some nice way

Let me know if anyone has any idea to do this ‘nice’ !

Thanks
D