# Enable NGINX logs




F5 NGINXaaS for Google (NGINXaaS) supports integrating with Google Cloud services to collect NGINX error and access logs, and F5 WAF for NGINX security logs.

## Prerequisites

- Enable the [Cloud Logging API](https://docs.cloud.google.com/logging/docs/api/enable-api).
- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF](/nginxaas-google/getting-started/access-management.md#configure-wif) for exact steps.
- Grant a project-level role or grant your principal access to the `roles/logging.viewer` role. See [Google's documentation on controlling access to Cloud Logging with IAM](https://cloud.google.com/logging/docs/access-control).

## Setting up error logs

NGINX error logs are disabled by default. You can enable error logs by adding **error_log** directives to your NGINX configuration to specify the location of the logs and formats. The log path should always be configured to be inside **/var/log/nginx**.

While you should configure log files in the **/var/log/nginx** directory, you can change the filename and severity level. For example, the following line in the NGINX configuration sends errors to the `nginx-error.log` file, and limits messages to a severity level of **emerg**:

```nginx
error_log /var/log/nginx/nginx-error.log emerg;
```

Alternatively, you can disable error logs completely with the following line:

```nginx
error_log /dev/null;
```

To learn more about how to specify `error_log` in different configuration levels, see the documentation of the [error_log](https://nginx.org/en/docs/ngx_core_module.html?#error_log) directive.

## Setting up access logs

NGINX access logs are disabled by default. You can enable access logs by adding **access_log** directives to your NGINX configuration to specify the location of the logs and formats. The log path should always be configured to be inside **/var/log/nginx**.

```nginx
http {
	log_format myfmt '$remote_addr - $remote_user [$time_local] '
						   '"$request" $status $body_bytes_sent '
						   '"$http_referer" "$http_user_agent" "$gzip_ratio"';

	access_log /var/log/nginx/nginx-access.log myfmt;
	# ...
}
```

**Note:**  The **$time_local** variable includes the date and time for each log. It helps with ordering logs after export. 

To explicitly disable access logs, apply the following config:

```nginx
http {
	access_log off;
}
```

or

```nginx
http {
	access_log /dev/null;
}
```

To learn more about how to specify `access_log` in different configuration levels and their effect, see [access_log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log)

**Note:** Keep NGINX logs in the **/var/log/nginx** directory. Otherwise, you may lose data from your logs.

## Setting up F5 WAF for NGINX security logs

You can enable security logs by adding **app_protect_security_log** directives to your NGINX configuration to specify the location of the logs and logging formats. The log path should always be configured under **/var/log/app_protect**.

```nginx
app_protect_security_log_enable on;
app_protect_security_log log_default /var/log/app_protect/security.log;
```

NGINXaaS does not support custom logging profiles and is limited to the [default logging profiles](/waf/logging/logs-overview.md#default-logging-profile-bundles).

**Note:** WAF logs should always be stored under the **/var/log/app_protect** directory. You may lose logging data if you choose any other log paths.

## Export NGINX logs to a Google Cloud Project

To enable sending logs to your desired Google Cloud project, you must specify the project ID when creating or updating a deployment. To create a deployment, see [our documentation on creating an NGINXaaS deployment](/nginxaas-google/getting-started/create-deployment/) for a step-by-step guide. To update the deployment, in the NGINXaaS console,

1. On the left menu, select **Deployments**.
1. Select the deployment you want to update and select **Edit**.
1. Enter the project you want metrics to be send to under **Log Project ID**.
1. Select **Update**.

## View NGINX logs in Google Cloud Logging

In the [Google Cloud Console](https://console.cloud.google.com/),

1. Go to your log project.
2. Search for "Logs Explorer".

Refer to the [Google's Logs Explorer](https://cloud.google.com/logging/docs/view/logs-explorer-interface) documentation to learn how you can create queries.

NGINX access and error logs sent to Cloud Logging will have the log name `nginx-logs` which can be used to filter NGINX logs from the rest of your project logs. You can also filter based on log labels, for example,

* `filename`
* `nginxaas_organization_object_id`
* `nginxaas_deployment_location`
* `nginxaas_deployment_name`
* `nginxaas_deployment_object_id`
* `nginxaas_namespace`

## Disable Exporting NGINX logs to a Google Cloud Project

To disable sending logs to your Google Cloud project, update your NGINXaaS deployment to remove the reference to your project ID. To update the deployment, in the NGINXaaS console,

1. On the navigation menu, select **Deployments**.
1. Select the deployment you want to update and select **Edit**.
1. Remove the project ID under **Log Project ID**.
1. Select **Update**.

## Troubleshooting

If Google Cloud Logging is not showing any logs, check for **Failed Log Export to Google** events from your NGINXaaS deployment.

In the NGINXaaS console:

1. On the navigation menu, select **Events**.
1. Select **Add Filter**.
1. Select **Affected Object** and the name of your NGINXaaS deployment.

Events are deleted after 14 days.