nginx logs to syslog - connection refused

nginx syslog rsyslog

13,746

nginx is trying to send your logs via a network port but your rsyslog configuration does not allow for syslog reception.

You will need to configure rsyslog to accept syslog messages by uncommenting either the UDP or TCP syslog reception configuration. nginx likely defaults to UDP so I would suggest starting there.

Don't forget to allow syslog through any firewalls you may have configured.

13,746

Jan Langer

Updated on September 18, 2022

Comments

Jan Langer almost 2 years

I'm trying to setup nginx 1.7.3 to send logs to syslog, but when I this configuration:

server {
    access_log syslog:server=localhost;
}

this shows up in nginx's error log:

2015/01/15 21:42:47 [error] 16776#0: send() failed (111: Connection refused)
2015/01/15 21:42:48 [error] 16776#0: send() failed (111: Connection refused)
2015/01/15 21:42:50 [error] 16776#0: send() failed (111: Connection refused)

I've followed http://nginx.org/en/docs/syslog.html and tried different parameter specified in there, but no luck...

The server runs rsyslogd daemon and other applications (cron, mysql) logs there without any issue.

/etc/rsyslogd.conf

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Logging for INN news system.
#
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

Xavier Lucas over 9 years

Post /etc/rsyslog.conf content.
Jan Langer over 9 years

added to the post
Nishanth over 9 years

netstat -a | grep "tcp\|udp" lookup open ports + check for internal iptables -L even if localhost is unlikely to be blocked
Xavier Lucas over 9 years

@Quinix Did you read nginx's documentation ? Quoting : With a domain name or IP address, the port can be specified. If port is not specified, the port 514 is used. You have nothing listening on this port so the connection being refused is perfectly normal. Modify your rsyslog configuration accordingly.

Jan Langer over 9 years

Oh, thanks! It works now. Is there some way to set it up via socket? I'm unable to find rsyslogs's socket location. Server OS is Debian Wheezy.
Mehmet over 9 years

@Quinix /dev/log is the default log socket. So you can change your nginx config to syslog:server=unix:/dev/log
TimH - Codidact over 6 years

@Mehmet your comment should be the accepted answer. Thank you!