Nginx Access & Error Logs
Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/web-nginx/generator.yml \
--id nginx \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| access-success | HTTP 2xx/3xx responses | ~84% | web |
| access-failure | HTTP 4xx/5xx responses | ~11% | web |
| error-upstream | Upstream connect/timeout/reset | ~2.5% | web |
| error-filesystem | File not found, permission denied | ~1.5% | web |
| error-client | Body too large, premature close | ~0.5% | web |
| error-ssl | TLS handshake failures | ~0.3% | web |
| error-system | Bind failures, worker crashes | ~0.2% | web |
Realism Features
- Weighted event distribution matching production nginx traffic (~95% access, ~5% error)
- URL category distribution — static assets (40%), HTML pages (30%), API endpoints (18%), well-known files (12%)
- HTTP method correlation — GET 85%, POST 10%, with method-specific status codes
- User agent distribution — desktop browsers (55%), mobile (20%), bots (10%), tools (8%)
- Scanner probe simulation — wp-login.php, .env, .git/config with realistic 404 responses
Sample Output
{
"@timestamp": "2026-02-21T14:32:07.123456+00:00",
"event": {
"category": ["web"],
"dataset": "nginx.access",
"kind": "event",
"module": "nginx",
"outcome": "success",
"type": ["access"]
},
"http": {
"request": { "method": "GET" },
"response": {
"body": { "bytes": 18432 },
"status_code": 200
}
},
"url": { "original": "/products", "path": "/products" },
"user_agent": {
"name": "Chrome",
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/133.0.0.0"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | web-srv-01 | Nginx server hostname |
| server_name | example.com | Virtual host domain name |
| upstream_addr | 127.0.0.1:8080 | Backend upstream address |
| agent_id | a7b8c9d0-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version string |
Related Generators
Apache HTTP Server
Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.
Cisco AnyConnect VPN
Cisco ASA AnyConnect SSL VPN — session lifecycle from RADIUS authentication through tunnel establishment, IP assignment, DAP policy evaluation, session roaming between gateways, to graceful disconnection.
Citrix NetScaler Gateway VPN
Citrix ADC / NetScaler Gateway VPN syslog events covering the full SSL VPN session lifecycle — authentication, login/logout, ICA application launches, TCP/UDP connection statistics, HTTP resource access, client security checks, session timeouts, and license limit alerts.