VictoriaLogs: Adding syslog-ng to a host and ingesting nginx log from jails

Leave a Comment / FreeBSD, Monitoring, nginx, Open Source, syslog-ng, Victoria Logs / By /

This post is more self-documentation than anything else. The links in this post might be useful than the content.

Today I’ll start pulling production FreshPorts nginx logs into VictoriaLogs. Over the past few days, I’ve configured a proof-of-concept and now I’m ready to try this in prod.

In this post:

  • FreeBSD 15.0 (installed on the host aws-1)
  • nginx-1.30.2_2,3 (running in a jail, aws-1-nginx01, on the host aws-1)
  • syslog-ng-4.11.0_2 (running on the host aws-1, pulling logs from the jail)

For the initial syslog-ng install and config, I’m following my blog post Replacing syslogd with syslog-ng (sysutils/syslog-ng) on FreeBSD. That work is not shown here.

Connection

This proves the host can connect to the VictoriaLogs host:

[11:41 aws-1 dvl ~] % nc -zv logs.int.unixathome.org 9428
Connection to logs.int.unixathome.org 9428 port [tcp/*] succeeded!

Next, let’s try a curl POST.

curl --cacert /etc/ssl/cert.pem -i -X POST "https://logs.int.unixathome.org:9428/insert/jsonline" \
  -H "Content-Type: application/json" \
  -d "{\"_msg\":\"GET /commit.php?category=net-p2p HTTP/1.1\",\"_time\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"_stream.app\":\"nginx\",\"status\":\"200\",\"remote_addr\":\"127.0.0.1\",\"body_bytes_sent\":\"1245\",\"request_time\":\"0.015\",\"http_user_agent\":\"CurlLiveTimeClientDVL/2.0\"}"

When run, it looks like this:

[11:43 aws-1 dvl ~] % curl --cacert /etc/ssl/cert.pem -i -X POST "https://logs.int.unixathome.org:9428/insert/jsonline" \
  -H "Content-Type: application/json" \
  -d "{\"_msg\":\"GET /commit.php?category=net-p2p HTTP/1.1\",\"_time\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"_stream.app\":\"nginx\",\"status\":\"200\",\"remote_addr\":\"127.0.0.1\",\"body_bytes_sent\":\"1245\",\"request_time\":\"0.015\",\"http_user_agent\":\"CurlLiveTimeClientDVL/2.0\"}"

HTTP/1.1 200 OK
Content-Type: application/json
Vary: Accept-Encoding
X-Server-Hostname: logs.int.unixathome.org
Date: Thu, 18 Jun 2026 11:44:36 GMT
Content-Length: 0

[11:44 aws-1 dvl ~] %

Within VictoriaLogs, that looks like this:

{
  "_msg": "GET /commit.php?category=net-p2p HTTP/1.1",
  "_stream": "{}",
  "_stream.app": "nginx",
  "_stream_id": "0000000000000000e934a84adb05276890d7f7bfcadabe92",
  "_time": "2026-06-18T11:44:36Z",
  "body_bytes_sent": "1245",
  "http_user_agent": "CurlLiveTimeClientDVL/2.0",
  "remote_addr": "127.0.0.1",
  "request_time": "0.015",
  "status": "200"
}

Good. Now let’s get syslog-ng sending data to that host.

nginx json logs

It is rather easy to get syslog-ng to send JSON logs and VictoriaLogs is quite happy to ingest them. This seems to be both the recommended and the easiest approach.

To the nginx config in the jail (of aws-1-nginx01), I followed that Getting Nginx logs into Victoria-Logs for the nginx configuration. I won’t duplicate that here.

syslog-ng

The change for syslog-ng was very similar to what in Getting Nginx logs into Victoria-Logs, apart from appending /jails/nginx01 to the path.

It just worked.

With the work done above, the following entry (from the nginx logs)

{
   "_time":"2026-06-18T12:30:12+00:00",
   "_msg":"GET /commit.php?category=devel&files=yes&message_id=201505061516.t46FGsGM055119%40svn.freebsd.org&port=py-liblarch HTTP/2.0",
   "status":"401",
   "remote_addr":"185.106.30.60",
   "body_bytes_sent":"42",
   "request_time":"0.008",
   "http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
   "_stream.app":"nginx",
   "http_referer":"http://freshports.org/commit.php?category=devel&files=yes&message_id=201505061516.t46FGsGM055119%40svn.freebsd.org&port=py-liblarch",
   "request_method":"GET",
   "host":"www.freshports.org",
   "hostname":"aws-1-nginx01.vpn.unixathome.org",
   "server_name":"www.freshports.org"
}

Becomes this, in VictoriaLogs:

{
  "_msg": "GET /commit.php?category=devel&files=yes&message_id=201505061516.t46FGsGM055119%40svn.freebsd.org&port=py-liblarch HTTP/2.0",
  "_stream": "{}",
  "_stream.app": "nginx",
  "_stream_id": "0000000000000000e934a84adb05276890d7f7bfcadabe92",
  "_time": "2026-06-18T12:30:12Z",
  "body_bytes_sent": "42",
  "host": "www.freshports.org",
  "hostname": "aws-1-nginx01.vpn.unixathome.org",
  "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
  "remote_addr": "185.106.30.60",
  "request_method": "GET",
  "request_time": "0.008",
  "server_name": "www.freshports.org",
  "status": "401"
}

The query I used to find that entry: hostname: aws-1-nginx01.vpn.unixathome.org remote_addr: 185.106.30.60

Lightning talk

I’m fairly impress by this so far. I’m going to give a lighting talk on Saturday for BSDCan 2026.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Related Posts

Leave a Comment

Scroll to Top