How to read nginx access.log?

Question

My server is compiled on a docker.

The Nginx container is built from a standard assembly.

I want to read the access.log nginx but I see this kind of content:

172.68.244.173 - - [24/Aug/2018:12:14:04 +0000] "\x16\x03\x01\x00\xEC\x01\x00\x00\xE8\x03\x03\x8A?\xB5\xFA\x17?\x8A\x9B\x04T>yK\x1A\xF6\x8F_\xBE:.\xF9\xED\xF6\xEE\xFCM\xD0\x88Ji\xDD\xF5 \xFF\xBDm\x98@mo:U\xA6\x0E\xB7\x93\x02sm`\xC6\xD1s0vV*\x88y\xDA&\xFCfZ\xF4\x00\x16\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0\x13\x00\x9C\x00/\xC0(\x005\x00" 400 173 "-" "-"

How to read such a log? What does this mean?

Answer 1

According to nginx documentation the default access log format is:

log_format combined '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

Applied to your log line:

$remote_addr = 172.68.244.173  
(literal string for compatibility reasons) = -  
$remote_user (from Auth Header) = -  
$time_local = [24/Aug/2018:12:14:04 +0000]  
$request = "\x16\x03\x01\x00\xEC\x01\x00\x00\xE8\x03\x03\x8A?\xB5\xFA\x17?\x8A\x9B\x04T>yK\x1A\xF6\x8F_\xBE:.\xF9\xED\xF6\xEE\xFCM\xD0\x88Ji\xDD\xF5 \xFF\xBDm\x98@mo:U\xA6\x0E\xB7\x93\x02sm`\xC6\xD1s0vV*\x88y\xDA&\xFCfZ\xF4\x00\x16\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0\x13\x00\x9C\x00/\xC0(\x005\x00"  
$status = 400  
$body_bytes_sent = 173  
$http_referer = "-"  
$http_user_agent = "-"

To summarize: Your server received a request from the address 172.68.244.173 with no user agent header sent and the request consisted of mostly non-printable characters. Slight possibility this is a broken client sending a bad request, more likely it's an attempt to discover a vulnerability in your web server or application. This will happen often to any server on the internet.