/syslog-cloudwatch-bridge

Syslog server to AWS CloudWatch Logs Bridge

Primary LanguageGoMIT LicenseMIT

Syslog CloudWatch Logs bridge

This is a Syslog server that sends all logs received over to AWS's CloudWatch Logs.

Features:

  • Uses AWS's SDK to get credentials from the environment, credentials file or IAM Role.
  • TCP and UDP Syslog server on a configurable port (default 514).
  • Automatic support for syslog messages in RFC3164, RFC6587 or RFC5424 formats.
  • Configurable CloudWatch Log Group.
  • Creates a new CloudWatch Log Stream on each invocation which is persisted runtime of the server.
  • Dockerized in a minimal container (~8MB).

Usage Example

  1. Create an IAM user that can create Log Streams and Logs e.g.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}
  1. Run the bridge
$ docker run -e \
   AWS_REGION=ap-southeast-2 \
   AWS_ACCESS_KEY_ID=foo \
   AWS_SECRET_ACCESS_KEY=bar \
   LOG_GROUP_NAME=test-logger \
   -p 5014:514 \
   -p 5014:514/udp \
   rjocoleman/syslog-cloudwatch-bridge
  1. Send syslog messages to 127.0.0.1:5014, these will be viewable in your AWS CloudWatch Logs Management console under the group called test-logger.

Troubleshooting

Issues with AWS signatures - as per #1 this could be a clock sync issue. You should add timezone to your container (as a volume) /etc/timezone:/etc/timezone:ro