Getting NGINX Logs into Honeycomb | Honeycomb

Getting NGINX Logs into Honeycomb

NGINX is one of the most popular web servers today. In a world driven by the web and connected APIs, its logs are a great candidate for surfacing a birds’ eye view of activity in your service.

Explore the Honeytail NGINX Example App and read the blog post with user tips on sending NGINX logs to Honeycomb.


Capturing web logs for Honeycomb requires:

  1. installing our agent, honeytail
  2. configuring it to parse your NGINX logs correctly
  3. launching honeytail

Install the Agent 

Download and install the latest honeytail by running:

Download the honeytail_1.9.0_amd64.deb package.

wget -q

Verify the package.

echo '16bd171d495f73a2dc2c0d2a7eaaa36fc2c57446c9f8e5c5dfe10c1a8442241f  honeytail_1.9.0_amd64.deb' | sha256sum -c

Install the package.

sudo dpkg -i honeytail_1.9.0_amd64.deb

The packages install honeytail, its config file /etc/honeytail/honeytail.conf, and some start scripts. Build honeytail from source if you need it in an unpackaged form or for ad-hoc use.

Download the honeytail_1.9.0_arm64.deb package.

wget -q

Verify the package.

echo '70b3ec1a0a748556ef5f1d8decc83d47160ae30f5df55bd3ab666009d4f6dc4b  honeytail_1.9.0_arm64.deb' | sha256sum -c

Install the package.

sudo dpkg -i honeytail_1.9.0_arm64.deb

The packages install honeytail, its config file /etc/honeytail/honeytail.conf, and some start scripts. Build honeytail from source if you need it in an unpackaged form or for ad-hoc use.

Download the honeytail-1.9.0-1.x86_64.rpm package.

wget -q

Verify the package.

echo 'f4bc1a5c87e240d641c090f014793098b2e92e0fc58c0c0d0e592ab9e71f717a  honeytail-1.9.0-1.x86_64.rpm' | sha256sum -c

Install the package.

sudo rpm -i honeytail-1.9.0-1.x86_64.rpm

The packages install honeytail, its config file /etc/honeytail/honeytail.conf, and some start scripts. Build honeytail from source if you need it in an unpackaged form or for ad-hoc use.

Download the 1.9.0 binary.

wget -q -O honeytail

Verify the binary.

echo 'bc26b2dc4ae003e18e600c4157121f626f9292201d0b96280c9298df81df1852  honeytail' | shasum -a 256 -c

Set the permissions to allow execution.

chmod 755 ./honeytail

Download the 1.9.0 binary.

wget -q -O honeytail

Verify the binary.

echo '36d21063e656b380d6435003a56b21007289ab047b157c5618d2b94b6962a0fd  honeytail' | shasum -a 256 -c

Set the permissions to allow execution.

chmod 755 ./honeytail

Download the 1.9.0 binary.

wget -q -O honeytail

Verify the binary.

echo '04de45c55bb340a4c3e54e45b68b2b95ef8cae3fbc0c70d86db75d13d0aaeb2c  honeytail' | shasum -a 256 -c

Set the permissions to allow execution.

chmod 755 ./honeytail

Clone the Honeytail repository.

git clone

Install from source.

cd honeytail; go install

You should modify the config file and uncomment and set:

  • ParserName to nginx
  • WriteKey to your API key, available from the account page
  • LogFiles to the path for the log file you want to ingest. For NGINX, this is typically /var/log/nginx/access.log.
  • Dataset to the name of the dataset you wish to create with this log file.

Honeytail also supports configuration with YAML.

Identify Log Locations + Formats 

Make sure to run through Optional Configuration below before running honeytail, in order to get the richest metadata out of your web traffic and into your logs.

In addition to the standard configuration captured in /etc/honeytail/honeytail.conf, you will want to set the two options in the Nginx Parser Options section:

  • ConfigFile: the path to your NGINX config file: whichever part of it contains the definition for the log format
  • LogFormatName: the name of the log format used to produce the NGINX access log file

For example, if your nginx config file is at /etc/nginx/nginx.conf and has the following snippet:

log_format my_favorite_format '$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent';
access_log /var/log/nginx/access.log my_favorite_format;

… then ConfigFile should be set to /etc/nginx/nginx.conf and your LogFormatName value should be set to my_favorite_format.

Or configure honeytail to read the nginx logs using command line parameters:

honeytail \
    --parser=nginx \
    --dataset=examples.honeytail-nginx \
    --writekey=$HONEYCOMB_WRITE_KEY \
    --nginx.conf=/etc/nginx/nginx.conf \
    --nginx.format=my_favorite_format \

Launch the Agent 

Start up a honeytail process using upstart or systemd or by launching the process by hand.

sudo initctl start honeytail
sudo systemctl start honeytail
honeytail -c /etc/honeytail/honeytail.conf

Backfilling Archived Logs 

In addition to getting current logs flowing, you can backfill old logs into Honeycomb to kickstart your dataset. By running honeytail from the command line, you can import old logs separate from tailing your current logs. Adding the --backfill flag to honeytail adjusts a number of settings to make it appropriate for backfilling old data, such as stopping when it gets to the end of the log file instead of the default behavior of waiting for new content (like tail).

The specific locations on your system may vary from ours, but once you fill in your system’s values instead of our examples, you can backfill using this command:

honeytail --writekey=YOUR_API_KEY --dataset="nginx API logs" --parser=nginx \
  --file=/var/log/nginx/access.16.log \
  --nginx.conf=/etc/nginx/nginx.conf \
  --nginx.format=api_fmt \

This command can be used at any point to backfill from archived log files. You can read more about our agent honeytail or its backfill behavior here.

honeytail does not unzip log files, so you will need to do this before backfilling. Easiest way—pipe to STDIN: zcat *.gz | honeytail --file - --backfill --all-the-other-flags.


First, check out honeytail Troubleshooting for general debugging tips.

Exiting with error message like log_format <format> not found in given config 

Make sure the file referenced by --nginx.conf contains your log format definitions. The log format definition should look something like the example below, and should contain whatever format name you are passing to --nginx.format:

log_format combined '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

… which defines the output log format for the log format name “combined.”

Note that, in more advanced nginx setups, it is possible for the log format to be defined in an overall nginx.conf file, while a different config file (maybe under, say, /etc/nginx/sites-enabled/api.conf) tells nginx how to output the access_log and which format to use.

In this case, you will want to make sure and use the config file containing the log_format line for the --nginx.conf argument.

No data is being sent, and --debug reveals failed to parse nginx log line messages 

If your log format has fields that are likely to have spaces in them, make sure to surround that field with single quotes. For example, if $my_upstream_var is likely to contain spaces, you will want to change this:

log_format main '$remote_addr $host $my_upstream_var $request $other_field';

to a log_format with quotes:

log_format main '$remote_addr $host "$my_upstream_var" $request $other_field';

You can make sure that your quotes had the right effect by peeking at the nginx logs your server is outputting to make sure that the $my_upstream_var value is correctly surrounded by quotes.

It is good practice to put any variable that comes from an HTTP header in double quotes, because you are depending on whomever is sending you traffic to put only one string in the header. Some headers also default to multiple words. For example, the $http_authorization header is represented by a - if it is absent and is two words (Basic abcdef123456) when present.

Still Having Trouble? 

Join our Pollinators Community Slack to ask questions and learn more.

Optional Configuration 

Nginx logs can be an incredibly powerful, high-level view of your system—especially so if they are configured correctly and enriched with custom, application-specific information about each request. Below are two simple ways to pack those logs with more useful metadata.

Missing Default Options 

Nginx comes with some fairly powerful optional log fields that are not included by default. This is the log_format we recommend for any configuration file (note the extra quotes around some fields):

log_format combined '$remote_addr - $remote_user [$time_local] $host '
    '"$request" $status $bytes_sent $body_bytes_sent $request_time '
    '"$http_referer" "$http_user_agent" $request_length "$http_authorization" '
    '"$http_x_forwarded_proto" "$http_x_forwarded_for" $server_name';
access_log /var/log/nginx/access.log combined;

You may already have an access_log line, but by defining a log_format (combined, in the example above) and specifying the format name (--nginx.format=combined), you will be able to take advantage of all of these additional fields. Make sure that all fields that start $http_ are quoted in your log_format:

  • $bytes_sent: the size of the response sent back to the client, including headers
  • $host: the requested Host header, identifying how your server was addressed
  • $http_authorization: authorization headers, for associating logs with individual users (must be quoted)
  • $http_referer: the referring site, if the client followed a link to your site (must be quoted)
  • $http_user_agent: the User-Agent header, useful in identifying your clients (must be quoted)
  • $http_x_forwarded_for: the origin IP address, if running behind a load balancer (must be quoted)
  • $http_x_forwarded_proto: the origin protocol, if terminating TLS in front of nginx (must be quoted)
  • $remote_addr: the IP address of the host making the connection to ngnix
  • $remote_user: the user name supplied when/if using basic authentication
  • $request_id: an nginx-generated unique ID to every request (only available in nginx version 1.11 and later).
  • $request_length: the length of the client’s request, including headers and body
  • $request_time: the time (in ms) the server took to respond to the request
  • $request: the HTTP method, request path, and protocol version
  • $server_name: the hostname of the machine accepting the request
  • $status: the HTTP status code returned for this request

Embedding Custom Response Headers 

Nginx can also be configured to extract custom request and response headers. Of the two, response headers are the most powerful in this case—they can carry application-specific IDs or timers back through to the nginx log. Having all of the information pertinent to a single request, available in a single log line, can be an incredibly powerful tool in diagnosing the origin of a problem in your system.

To include a specific response header in your access.log, add an $upstream_http_ variable to your log_format—the response header values will be written out and ingested by our nginx parser! Make sure to put quotes around these variables to capture any embedded spaces.

For example, an X-RateLimit-Remaining header can be output by adding $upstream_http_x_ratelimit_remaining to the log_format line. See the nginx docs for more about extracting metadata from the HTTP response or request.

As with other fields which may output strings (for example,$http_user_agent), be careful when logging strings—add an extra set of double quotes around values which might contain spaces, in order to ensure correct parsing.

A final trick: sometimes, response headers may be set for logging that should not be exposed back to the user. In this case, the proxy_hide_header directive may be used to strip out specific headers by name:

log_format combined `... "$upstream_x_internal_top_secret" ...`; # Wrap string values with double quotes
access_log /var/log/nginx/access.log combined;
location / {
  proxy_pass;        # Expose port 8080
  proxy_hide_header X-Internal-Top-Secret; # Strip from client

Scrubbing Personally Identifiable Information 

While we believe strongly in the value of being able to track down the precise query causing a problem, we understand the concerns of exporting log data which may contain sensitive user information.

With that in mind, we recommend using honeytail’s nginx parser, but adding a --scrub_field=sensitive_field_name flag to hash the concrete sensitive_field_name value, or --drop_field=sensitive_field_name to drop it altogether and prevent it being sent to Honeycomb’s servers.

Find more information about dropping or scrubbing sensitive field.

Parsing URL Patterns 

honeytail can break URLs up into their component parts, storing extra information in additional columns. This behavior is turned on by default for the request field on nginx datasets, but can become more useful with a little bit of guidance from you.

See honeytail’s documentation for details on configuring our agent to parse URL strings.

Open Source 

Honeytail is open source and Apache 2.0 licensed.