/syslog-cloudwatch-bridge

Syslog server to AWS CloudWatch Logs Bridge

Primary LanguageGoMIT LicenseMIT

Syslog CloudWatch Logs bridge

This is a Syslog server that sends all logs received over to AWS's CloudWatch Logs.

Features:

  • Uses AWS's SDK to get credentials from the environment, credentials file or IAM Role.
  • TCP and UDP Syslog server on a configurable port (default 514).
  • Automatic support for syslog messages in RFC3164, RFC6587 or RFC5424 formats.
  • Configurable CloudWatch Log Group.
  • Creates a new CloudWatch Log Stream on each invocation which is persisted runtime of the server.
  • Dockerized in a minimal container (~8MB).

Usage Example

Create an IAM user that can create Log Streams and Logs

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
  ]
}

Create CloudWatch Log Group

https://docs.aws.amazon.com/cli/latest/reference/logs/create-log-group.html

Run the bridge

$ docker run \
    -e AWS_REGION=ap-southeast-2 \
    -e AWS_ACCESS_KEY_ID=foo \
    -e AWS_SECRET_ACCESS_KEY=bar \
    -e LOG_GROUP_NAME=test-logger \
    -p 5014:514 \
    -p 5014:514/udp \
    quay.io/app-sre/syslog-cloudwatch-bridge
  1. Send syslog messages to 127.0.0.1:5014, these will be viewable in your AWS CloudWatch Logs Management console under the group called test-logger.

Troubleshooting

Issues with AWS signatures - as per #1 this could be a clock sync issue. You should add timezone to your container (as a volume) /etc/timezone:/etc/timezone:ro