syslog not properly tagged

Vladimir Homutov vl at
Tue Nov 10 09:23:33 UTC 2015

On Tue, Nov 10, 2015 at 11:08:44AM +0200, Avraham Serour wrote:
> Hi,
> I have an ubuntu machine and installed nginx stable using the ppa (1.9.3)
> In my conf I'm sending the logs to syslog:
> access_log syslog:server=unix:/dev/log,tag=lenginx_access le_json;
> error_log syslog:server=unix:/dev/log,tag=nginx,severity=error;
> then I'm using rsyslog to ship my logs to my logstash server.
> My problem is that it seems nginx does't properly tag the messages, I
> should be able to filter nginx messages in my rsyslog conf using:
> if $programname == 'nginx' then {
> but it seems $programname is my hostname, the tag is added to the message
> body

This happens because nginx uses remote syslog message format, which
includes hostname. To use it with local syslog daemon you have two

a) tell your syslog daemon that there is a hostname in a message coming
from nginx

b) tell nginx to not send hostname, using the 'nohostname' option, added
recently in 1.9.7 (

> This creates two problems: now I need to workaround to filter nginx
> messages and my message body format is messed up, my beautifully json
> format is now not a valid json and I need to further manipulate it.
> I was able to work around this for the access logs, my filter is now:
> if $msg contains 'lenginx_access' then {
> and I am using the substring to remove the prefix
> But I wasn't able to accomplish this for the error logs, it seems I can't
> use a custom format for the error logs
> So any way of custom formatting my error logs to output json?
> How can I tell nginx to properly tag the messages?
> btw, upon registering to this mailing list I got a confirmation email with
> my password, really??
> Avraham

More information about the nginx mailing list