Nginx Access Log

Records every HTTP request processed by Nginx

Edit this page

Quick Facts

Default Path (Linux)

/var/log/nginx/access.log

Docker

stdout

Default Format

combined

JSON Native

Yes (since 1.11.8)

Rotation

logrotate

Log Example

Default format: Combined Log Format

Example Log Entrylog

192.168.1.50 - alice [20/Dec/2025:14:32:18 +0100] "GET /api/users HTTP/1.1" 200 1534 "https://app.example.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Structure:

$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"

Paths by Platform

Debian / Ubuntu

/var/log/nginx/access.log

RHEL / CentOS / Fedora

/var/log/nginx/access.log

Alpine

/var/log/nginx/access.log

Arch

/var/log/nginx/access.log

Available Formats

Combined Log Format

Default

Example:

192.168.1.50 - alice [20/Dec/2025:14:32:18 +0100] "GET /api/users HTTP/1.1" 200 1534 "https://app.example.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Structure:

$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"

Common Log Format (CLF)

Example:

192.168.1.50 - alice [20/Dec/2025:14:32:18 +0100] "GET /api/users HTTP/1.1" 200 1534

Structure:

$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent

JSON Format

Native

Config Required

Available since version 1.11.8

Example:

{"time":"2025-12-20T14:32:18+01:00","remote_addr":"192.168.1.50","remote_user":"alice","request_method":"GET","request_uri":"/api/users","status":200,"body_bytes_sent":1534,"http_referer":"https://app.example.com","http_user_agent":"Mozilla/5.0...","request_time":0.052,"upstream_response_time":"0.050","request_id":"a1b2c3d4e5f6"}

Structure:

log_format json_combined escape=json
'{'
  '"time": "$time_iso8601",'
  '"remote_addr": "$remote_addr",'
  '"remote_user": "$remote_user",'
  '"request_method": "$request_method",'
  '"request_uri": "$request_uri",'
  '"status": $status,'
  '"body_bytes_sent": $body_bytes_sent,'
  '"http_referer": "$http_referer",'
  '"http_user_agent": "$http_user_agent",'
  '"request_time": $request_time,'
  '"upstream_response_time": "$upstream_response_time",'
  '"request_id": "$request_id"'
'}';

Fields Reference

Field	Type	Description	Example
`remote_addr`$remote_addr	ip	Client IP address	`192.168.1.50`
`remote_user`$remote_user	string	Authenticated user (HTTP Basic Auth)Note: Empty (-) if no authentication	`alice`
`time_local`$time_local	datetime	Timestamp in Apache format	`[20/Dec/2025:14:32:18 +0100]`
`time_iso8601`$time_iso8601	datetime	Timestamp in ISO format (recommended)	`2025-12-20T14:32:18+01:00`
`request`$request	string	Full request line	`GET /api/users HTTP/1.1`
`request_method`$request_method	string	HTTP method	`GET`
`request_uri`$request_uri	string	URI with query string	`/api/users?page=1&limit=10`
`uri`$uri	string	URI without query string	`/api/users`
`args`$args	string	Query string only	`page=1&limit=10`
`status`$status	integer	HTTP response status code	`200`
`body_bytes_sent`$body_bytes_sent	integer	Response body size in bytes (without headers)	`1534`
`bytes_sent`$bytes_sent	integer	Total bytes sent (with headers)	`1842`
`http_referer`$http_referer	string	Referer header	`https://app.example.com/dashboard`
`http_user_agent`$http_user_agent	string	User-Agent header	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36`
`request_time`$request_time	float (seconds)	Total request processing time	`0.052`
`upstream_response_time`$upstream_response_time	float (seconds)	Backend response time	`0.05`
`upstream_addr`$upstream_addr	string	Upstream server address	`10.0.0.5:8080`
`request_id`$request_id	string	Unique request ID (traceability)	`a1b2c3d4e5f6`
`http_x_forwarded_for`$http_x_forwarded_for	string	Original IP if behind proxy/load balancer	`203.0.113.50, 70.41.3.18`
`ssl_protocol`$ssl_protocol	string	TLS protocol version	`TLSv1.3`
`ssl_cipher`$ssl_cipher	string	Cipher suite used	`TLS_AES_256_GCM_SHA384`

Parsing Patterns

Grok Patterns

combined:

%{COMBINEDAPACHELOG}

common:

%{COMMONAPACHELOG}

Regular Expressions

combined:

^(?P<remote_addr>\S+) - (?P<remote_user>\S+) \[(?P<time_local>[^\]]+)\] "(?P<request_method>\S+) (?P<request_uri>\S+) (?P<protocol>[^"]+)" (?P<status>\d+) (?P<body_bytes_sent>\d+) "(?P<http_referer>[^"]*)" "(?P<http_user_agent>[^"]*)"

Collector Configurations

logstashruby

1filter {
2  grok {
3    match => { "message" => "%{COMBINEDAPACHELOG}" }
4  }
5  date {
6    match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
7  }
8}

Configuration

Enable Logging

Directive:

access_log /var/log/nginx/access.log combined;

Enabled by default

Disable Logging

Directive:

access_log off;

Change Format

Define a custom log_format
Apply it with access_log directive

# In http {} block
log_format custom '$remote_addr - $remote_user [$time_local] '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent" '
                  '$request_time $upstream_response_time';

# In server {} or location {} block
access_log /var/log/nginx/access.log custom;

Enable Json

Recommended

log_format json_combined escape=json
'{'
  '"time": "$time_iso8601",'
  '"remote_addr": "$remote_addr",'
  '"remote_user": "$remote_user",'
  '"request_method": "$request_method",'
  '"request_uri": "$request_uri",'
  '"status": $status,'
  '"body_bytes_sent": $body_bytes_sent,'
  '"http_referer": "$http_referer",'
  '"http_user_agent": "$http_user_agent",'
  '"request_time": $request_time,'
  '"upstream_response_time": "$upstream_response_time",'
  '"request_id": "$request_id"'
'}';

access_log /var/log/nginx/access.json json_combined;

escape=json escapes special characters to avoid breaking JSON

Add Request Id

Add unique ID to trace requests across services

# In server {} block
add_header X-Request-ID $request_id;

# Pass to backend
proxy_set_header X-Request-ID $request_id;

Conditional Logging

Log only certain requests

# Don't log health checks
map $request_uri $loggable {
  /health 0;
  /ready 0;
  default 1;
}

access_log /var/log/nginx/access.log combined if=$loggable;

Log To Syslog

access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=info combined;

Log Rotation

Tool: logrotate | Config: /etc/logrotate.d/nginx

/etc/logrotate.d/nginx

/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    postrotate
        [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
    endscript
}

Use Cases

Traffic monitoring

Requests per second, response codes

status

request_time

Backend performance

Upstream response times

upstream_response_time

upstream_addr

Error detection

5xx and 4xx spikes

status

Latency analysis

Slow requests, percentiles

request_time

Troubleshooting

All Available Variables

request

$requestFull request line

$request_methodHTTP method (GET, POST...)

$request_uriURI with query string

$uriURI without query string

$argsQuery string only

$query_stringAlias for $args

$request_bodyRequest body

$request_lengthRequest size

$request_timeProcessing time (sec)

$request_idUnique ID (since 1.11.0)

client

$remote_addrClient IP

$remote_portClient port

$remote_userHTTP Basic Auth user

$http_x_forwarded_forOriginal IP if proxied

response

$statusHTTP status code

$body_bytes_sentResponse size (without headers)

$bytes_sentTotal bytes sent

time

$time_localApache format timestamp

$time_iso8601ISO 8601 timestamp

$msecUnix timestamp with milliseconds

upstream

$upstream_addrBackend address

$upstream_response_timeBackend response time

$upstream_statusBackend HTTP status

$upstream_connect_timeConnection time

$upstream_header_timeTime to headers

ssl

$ssl_protocolTLSv1.2, TLSv1.3...

$ssl_cipherCipher used

$ssl_client_certClient certificate

$ssl_session_idSSL session ID

headers

$http_hostHost header

$http_refererReferer header

$http_user_agentUser-Agent header

$http_cookieCookie header

$http_HEADERAny header (replace HEADER)

server

$server_nameServer name

$server_addrServer IP

$server_portServer port

$server_protocolHTTP/1.0, HTTP/1.1, HTTP/2

$hostnameMachine hostname

$pidWorker process PID

$connectionConnection number

$connection_requestsRequests on this connection

Tested On

v1.26.2 on Ubuntu 24.04

jean_ops - 2025-12-15

v1.26.2 on Debian 12

marie_sec - 2025-12-18

v1.25.4 on Alpine 3.19

alex_devops - 2025-11-20

v1.24.0 on RHEL 9

pierre_admin - 2025-10-10

v1.26.1 on Docker (official image)

sarah_sre - 2025-12-01

Last updated: 2025-12-18 by marie_sec

6 contributors234 upvotes

Validated

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

Edit Report Issue

Nginx Access Log

Quick Facts

Log Example

Paths by Platform

Available Formats

Combined Log Format

Common Log Format (CLF)

JSON Format

Fields Reference

Parsing Patterns

Grok Patterns

Regular Expressions

Collector Configurations

Configuration

Enable Logging

Disable Logging

Change Format

Enable Json

Add Request Id

Conditional Logging

Log To Syslog

Log Rotation

Use Cases

Traffic monitoring

Backend performance

Error detection

Latency analysis

Troubleshooting

Logs are not being written

Special characters break my JSON

Timestamp not parsing correctly

I don't see requests to backend

Logs are too large

Client IP always 127.0.0.1 or proxy IP

All Available Variables

request

client

response

time

upstream

ssl

headers

server

Tested On

Community Discussions