Hello!
I have a requirement to feed Gitlab nginx logs to my SIEM solution however looking for best practices about managing nginx config file now.
What are my vendor instructions are as follows:
Add this to HTTP block of nginx
LEEF:1.0|NGINX|NGINX|$nginx_version|$status|devTime=$time_local\tdevTimeFormat=dd/MMM/yyyy:HH:mm:ss Z\tsrc=$remote_addr\tdst=$server_addr\tdstPort=$server_port\tproto=$server_protocol\tusrName=$remote_user\trequest=$request\tbody_bytes_sent=$body_bytes_sent\thttp_referer=$http_referer\thttp_true_client_ip=$http_true_client_ip\thttp_user_agent=$http_user_agent\thttp_x_header=$http_x_header\thttp_x_forwarded_for=$http_x_forwarded_for\trequest_time=$request_time\tupstream_response_time=$upstream_response_time\tpipe=$pipe\turi_query=$query_string\turi_path=$uri\tcookie=$http_cookie
So now I believe the solution in Logs on Linux package installations | GitLab. will not work - I mean option nginx[‘custom_log_format’]
Then we also need remote syslog server reference in nginx like that
access_log syslog:server=QRadar_Server_IP:514,facility=Facility_Parameter qradar;
So that’s not supported at all?
Also to make things even more complicated I need to adjust HOST entry to my X-Forwaded-For header if present so I catch real IP - that also need go to config file…
http {
map $http_x_forwarded_for $log_ip {
default $remote_addr;
"~^[0-9.]+$" $http_x_forwarded_for;
}
log_format combined '$log_ip - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
Hence, do I have any other option besides manually hacking nginx file and gitlab ‘fixing/reverting’ it each time I reconfigure? Or somebody can think about some nice way
Let me know if anyone has any idea to do this ‘nice’ !
Thanks
D