Error Logs

The error log records:

• Problems encountered while processing requests
• Configuration and runtime errors
• Warnings, alerts, and critical failures
• Important internal events (timeouts, upstream failures)

Unlike access logs:

• Not per-request
• Event-driven
• Essential for troubleshooting & security monitoring

How Error Logging Works Internally

1. NGINX starts or reloads configuration
2. Internal events occur (client, upstream, filesystem, SSL, memory)
3. If event severity ≥ configured level → it is logged
4. Log entry is written immediately

Error logs are synchronous and high priority.

Core Directive: error_log

error_log /var/log/nginx/error.log warn;

Syntax

error_log <path> <log_level>;

• path → file, syslog, or stderr
• log_level → minimum severity to log

NGINX Error Log Levels (Most Important Section)

NGINX log levels (from least to most severe):

Level	Description	Typical Use
debug	Extremely detailed	Development only
info	Informational events	Rarely used
notice	Normal but significant	Startup/reload
warn	Potential problems	Default
error	Request failed	Production monitoring
crit	Critical condition	Immediate attention
alert	Action required	Sysadmin intervention
emerg	System unusable	System down

• Production → error or warn
• Debugging → debug (temporarily)

Default Error Log Example

2026/01/22 11:05:34 [error] 2458#2458: *1024 open() "/var/www/html/logo.png" failed (2: No such file or directory),
client: 203.0.113.10, server: example.com, request: "GET /logo.png HTTP/1.1", host: "example.com"

Part	Meaning
Timestamp	When error occurred
[error]	Severity level
2458#2458	Worker process ID
*1024	Connection ID
open() failed	Error description
client	Client IP
request	Request line
server	Virtual host

Common Error Log Messages Explained

File Not Found (404)

open() "/var/www/html/favicon.ico" failed (2: No such file or directory)

• Normal
• Can be ignored or fixed by adding file

Permission Denied (403)

open() "/var/www/private/data.txt" failed (13: Permission denied)

• Misconfigured permissions
• Fix with correct ownership/SELinux context

Upstream Timeout

upstream timed out (110: Connection timed out) while reading response header from upstream

• Backend slow or down
• Investigate app performance

SSL/TLS Errors

SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number)

• Client using unsupported TLS
• Common during scans

Rate Limiting Triggered

limiting requests, excess: 5.000 by zone "api"

• Indicates attack or abuse
• Good security signal

Connection Limiting Triggered

limiting connections by zone "conn_limit"

• Possible Slowloris or connection flood

Setting Different Error Log Levels per Context

Global Level

error_log /var/log/nginx/error.log error;

Per Virtual Host

server {
    error_log /var/log/nginx/example_error.log warn;
}

Useful for noisy applications

Debug Logging (Advanced)

Enable Debug Build

nginx -V 2>&1 | grep -- --with-debug

Enable Debug Logs

error_log /var/log/nginx/debug.log debug;

• Produces huge logs
• Never enable in production long-term

Logging to Syslog (Centralized Monitoring)

error_log syslog:server=192.168.1.10:514,facility=local7,tag=nginx error;

• SIEM integration
• Centralized alerting

Logging to STDERR (Containers / Kubernetes)

error_log /dev/stderr warn;

• ✔ Docker & Kubernetes best practice
• ✔ Collected by platform logging

Security Monitoring Using Error Logs

Signal	Possible Threat
Repeated 403/401	Brute-force
SSL handshake failures	TLS downgrade / scans
Rate limit logs	DDoS attempts
Upstream timeouts	App-layer DoS
Permission errors	Path traversal

Common Error Logging Mistakes

Mistake	Impact
Using debug in prod	Disk exhaustion
Ignoring error logs	Blind failures
No log rotation	Server crash
Single global log	Hard to isolate issues
No monitoring alerts	Late response

Recommended Production Error Log Setup

error_log /var/log/nginx/error.log error;

server {
    listen 443 ssl;
    server_name example.com;

    error_log /var/log/nginx/example_error.log warn;
}