This post is also available in : Spanish

Engine X: alternate web server and its handmade monitoring

Nginx (Engine X) is present in at least 22% of domains (as of May 2018), in second place due to its ability to deal with ten thousand or more connections. Now, if we already have everything covered when it comes to professional monitoring with Pandora FMS, what do we need to learn? Well, we do not intend to turn you into professionals with a series of articles but we will talk about it so that you have basic information.

Installation of Engine X, Nginx

This is an example with an Ubuntu 18 server in a virtual local area network, we will update its repositories for its later installation with administrator rights:
sudo apt-get update sudo apt-get upgrade sudo apt-get install nginx sudo nginx –t

It is that easy! We can even install it for Pandora FMS on CentOS or for any other GNU/Linux platform. In the last command line above, it allows to check its operation and to know where “logs” are located.

Essentially there are three kinds of metrics to collect (we’ll just see the basics, access.log):

Basic activity metrics.
Error metrics (error.log).
Performance metrics (Pandora FMS Enterprise).

As for the format of these registers, the three main web servers (Apache, Nginx and Microsoft IIS) use the Apache rules and with a simple command we can visualize -and monitor in real time- what happens in our device:

sudo tail -f /var/log/nginx/access.log

ngxtop

At this moment we would like to have Pandora FMS installed in a big screen and with wonderful graphics of the web console, but let’s continue with our terminal window and leave behind the tools that every GNU/Linux administrator knows and start with a new one, based on Python language: ngxtop.

If the name sounds familiar, yes, it is the contraction of Nginx (Engine X) and the legendary command top and is part of the special repository of the Python language. The language as such is included in 99% of GNU/Linux distributions, but given the amount of material written for that environment the most sensible thing is to install a package manager called pip (ngxtop can also be installed from the source code with git clone):

Once installed we will be able to use ngxtop and verify if it was installed with the command “ngxtop info” (see previous figure). We will be able to visualize which are the IP addresses that most demand requests and the exact files requested, all this in real time:

Combining conditions

In programming a variable represents a figure or text string that changes at will or by events and in ngxtop we have the following:

http_referer: the IP address currently assigned to the web server.
http_user_agent: name of the web browser that visits our site.
remote_addr: IP address of the visitor.
status: status of each of the requests (HTTP headers).
body_bytes_sent: sent bytes.

The interesting thing is that we will be able to combine the parameters that we pass to ngxtop, for example the following case:

ngxtop --no-follow -i 'status == 200' print http_user_agent

With the parameter “-i” we filter the requests to files that were successful. The “print” command is in charge of showing the name of the web browsers. The “–no-follow” parameter is used to look at the past, which is recorded. With this step we enter the monitoring mode:

As we can see in the figure above, the clear advantage of using the terminal is the ability to combine multiple tools: with ngxtop and the grep command we are able to detect whether a device such as a Kindle has visited any of our web pages.
For the basic parameters we have:

“t”: to change the number of seconds, default two, to refresh the information.
“d”: displays code debug lines.
” –version”: shows the installed version.
“-h”: help, displays the rest of the available parameters.
top, avg, sum: allows you to perform operations of maximum value, average and sum on the sent bytes.

With the latest commands we can calculate the number of bytes sent by our server:

ngxtop --no-follow sum body_bytes_sent

Or discriminate how many bytes were valid element queries and how many bytes of files we don’t have on our server:

If your web server is behind a load balancer or inverse proxy (such as another nginx server) we must add the following line “real_ip_header X-Forwarded-For;” in the configuration file “/etc/nginx/conf.d/default.conf” in order to receive the real IP address of our visitors; then we must restart the service with “/etc/init.d/nginx restart”. If you want to expand your knowledge to the field of computer forensics we recommend you study the tool LORG, which needs PHP language for its operation.

Extending usage to Apache

As we mentioned, since nginx uses the same registry structure, we can use ngxtop to monitor an Apache server by specifying where it will get the data to turn it into information:

tail -follow /var/log/apache2/access.log | ngxtop -f common

tail: the command that gives us the last ten lines of a text file.
-follow: tells tail to “follow” the file, i.e. if data is added to it, process those lines.
/var/log/apache2/access.log: location of the Apache web server log file.
“|”: command “pipe” that “passes” the result of the tail command to the next command, in this case nxgtop.
-f: specifies the format used in the record, in this case the common format.

Beyond nginx

As we said, this is just an introduction of the capabilities of this application, Nginx (Engine X) Other features include reverse proxying, both web and email. If you need to monitor not only Engine X, but any other devices connected to the Internet, you certainly have to contact us!

All images shown here are under the Creative Commons 3.0 License.