nginx. How to log ssl errors without blowing up the server logs
Solution 1:
All the SSL handshake errors you mention are logged by nginx at an info
level, so you don't need to enable debugging.
You don't mention which distribution you are using, but most systems nowadays come with SystemD so redirecting your logs to standard error:
error_log stderr info;
or syslog:
error_log syslog:server=/dev/log info;
will allow systemd-journald to capture all Nginx logs and administer their size. A simple:
journalctl -u nginx.service -a -p info
will allow you to list all debug messages above info
level (assuming you use syslog).
If you need more data for certain clients, you can use Nginx's debug_connection:
events {
debug_connection 192.0.50.1;
...
}
As you mention in your question, setting a log level of debug
for all clients will certainly produce a lot of output. If you need to enable debugging you might do it on a per subsystem level. Although it is not documented in the documentation of error_log, this directive accepts also a finer subdivision of the debug
level (cf. source code): debug_core
, debug_alloc
, debug_mutex
, debug_event
, debug_http
, debug_mail
, debug_stream
. You are interested in the debug_event
level, but you can add several in the error_log
directive, e.g.:
error_log syslog:server=/dev/log debug_http debug_event;
Solution 2:
A:
- enable "debug"
- create pipe instead of logfile (ensure it won't be hurt by logrotation)
- create listener in background (cat awk, grep, sed, whatever, etc)
- restart nginx
B:
error_log syslog:server=unix:/var/log/nginx.sock debug;