How to get nginx error.log and access.log with td-agent

投稿日:2017年3月21日 更新日:


Hello everyone, It’s candle.
In this time, we collect nginx log with td-agent.
I explain with td-agent, but basic configuration is similer with fluentd.


Td-agent or fluentd is installed
You have a nginx server.

Change the td-agent user

The user who execute td-agent server is the td-agent by default setting.
But only root user can gets nginx log.

If td-agent try to get nginx access.log and error.log, the error would appear about “Permission denied @ rb_sysopen – /var/log/nginx/access.log”.

To solve this, you would change the user of the td-agent server to root.
Open the “/etc/init.d/td-agent” file with your favorite editor.

sudo emacs /etc/init.d/td-agent

Change the value of “TD_AGENT_USER” in the file from “td-agent” to “root”.

Restart td-agent.

sudo service td-agent restart

The td-agent now can access to nginx log.

Get nginx access.log

Though there is the following format that takes nginx access.log,

format nginx

The result log contains “partter not match”
This is because the regular expression defined in “format nginx” and the result log are not match.

This is the sample log.

2017-03-05 05:21:39 +0000 [warn]: pattern not match: " - - [05/Mar/2017:05:21:39 +0000] "GET /assets/application.css HTTP/1.1" 304 0 "http://local-hogehogecom/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8" "-""

When I look into another format, many articles use ltsv format.
However, I don’t recommend this way too much.
The form of json is not so good.
This is the sample.

2017-03-05 05:17:00 +0000 nginx.access: {" - - [05/Mar/2017":"05:17:00 +0000] "GET /assets/application.js HTTP/1.1" 304 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8" "-""}

Therefore, I refer to the following site and define the format oneself.

Open the td-agent configuration file.


Write this code.

  @type tail
  path /var/log/nginx/access.log
  tag nginx.access
  pos_file /var/log/td-agent/nginx.access.pos
  format /^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) [(?<time>[^]]*)] "(?<method>S+)(?: +(?<path>[^ ]*) +S*)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^"]*)" "(?<agent>[^"]*)" "(?<forwarder>[^"]*)")?/
  time_key time_local

“type tail” tails a file defined by path
“path /var/log/nginx/access.log” is the target file of “type tail”
“tag nginx.access” tags the fetched logs.
“pos_file /var/log/td-agent/nginx.access.pos” defines a file that temporarily holds fetched logs
“Format” is written by regular expressions matching nginx access.log.
“time time_local” inserts time into the generated json.

For debugging, write the directive to display the fetched log.
If it matches the tag “nginx.access”, it will output to td-agent as standard output.

<match nginx.access>
  type stdout

Save the file and restart td-agent.

sudo service td-agent restart

The log of td-agent is /var/log/td-agent/td-agent.log.
Let’s watching it.

sudo tail -f /var/log/td-agent/td-agent.log

Access to nginx server with the browser and check whether the log is displayed.

The next text is a result log.

2017-03-05 14:21:08 +0000 nginx.access: {"remote":"","host":"-","user":"-","time":"05/Mar/2017:14:21:08 +0000","method":"GET","path":"/assets/application-89224d7948f4a0ac2f79b292da0.js","code":"304","size":"0","referer":"","agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8","forwarder":"-"}

It’s success.

Get nginx error.log

And next, we will get the nginx error.log.
Open the td-agent conf file.


Comment out the debugging directive of the access.log.

#<match nginx.access>
#  type stdout

Write this code.

  type tail
  path /var/log/nginx/error.log
  tag nginx.error
  pos_file /var/log/td-agent/nginx.error.pos
  format /^(?<time>d{4}/d{2}/d{2} d{2}:d{2}:d{2}) [(?<log_level>w+)] (?<pid>d+).(?<tid>d+): (?<message>.*)$/

The basic setting is the same as access.log.
About the “format”, it is described original regular expression.
It is a regular expression matching to nginx error.log.
I took it from the official website

Also write the following td-agent standard output for debugging.

<match nginx.error>
  type stdout

Save it and restart

sudo service td-agent restart

Let’s watch the td-agent log using “tail -f” as before.

sudo tail -f /var/log/td-agent/td-agent.log

I know It is difficult that you make nginx occur an error intentionally.
The under image is the error that is I access to the rails application when unicorn is stopped.

2017-03-05 08:28:00 +0000 nginx.error: {"log_level":"error","pid":"1970","tid":"1970","message":"*104 connect() to unix:/tmp/hogehoge_unicorn.sock failed (111: Connection refused) while connecting to upstream, client:, server:, request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/hogehoge_unicorn.sock:/", host: """}

It seems good.


We tried to get access.log and error.log of nginx.


If you think this article is good, share it please




Your email address will not be published. Required fields are marked *


Build up td-agent server on the EC2 of aws

English 日本語 Abstract Hello everyone, It’s candle. In this time we will build up td-agent environment on the ec2. Precondition You have a EC2.

Collect the Rails 4 production.log with td-agent

English 日本語 Abstract Hello everybody, It’s me candle. In this time, let’s get the rails 4 production.log by td-agent. I have been written same article, but there was lack of explanation and etc, I will rewrite it again. Also, I will show you how to get Rails 5 production.log at a later date. Precondition You must be able to execute ruby on rails in production mode. It is ok in any environment as long as it has executable. Such as webrick, nginx, puma and apache. td-agent or fluentd is instlled. It is assumed that td-agent or fluentd is installed.

Setup of td-agent-ui and operation check

English 日本語 Abstract Hello everyone, It’s candle. In this time, I will show you how to set up td-agent-ui and operation check. Td-agent is easier than fluentd to operate on the server. Precondition Td-agent is installed Please refer to the following article when building td-agent to Centos 6.5. Build up a td-agent server on centos 6.5 For EC2, here Build up td-agent server on the EC2 of aws

React + S3 + Route53 + CloudFront HTTPS connection using SSL

Abstract Hello everyone it’s me candle. This time we would like to try SSL connection with the React web application deployed to S3. Programers recently develop web services on the API server and React front end. Then SSL connection is often required on the React side as well. Not only that, but recently https is being standardized. We try to taht. Condition React web is deployed to S3 You have the S3 bucket that name is same as Route53 domain name Create a CloudFront distribution First we will create the distribution of CloudFront. Go to the CloudFront management console, select …

Collect Rails 5 production.log with td-agent

English 日本語 Abstract Hello everybody It’s me candle. In this article I will show you how to collect rails 5 production.log with td-agent. Rails 5 was changed log format and it cause some problem. I will solve it and explain. relational article If you are using rails 4 please refer to the following article. td-agentでRails 4のproduction.logを取得する Precondition You can work ruby on rails in production mode Before read this article you setup the rails production environment such as webrick, apache, puma and nginx. You already installed td-agent or fluentd. You need td-agent or fluentd. It is installed on the ruby …

I work in the venture company as a CTO. I start to write program in University, first I learned java, C++ and PHP. In the company, I'm developing web services by Rails. I do like to automation.