Exporting Cyberwatch containers logs to a syslog server

This page shows the configuration for exporting Cyberwatch services logs to a syslog server.

First, install and configure a syslog-ng (or syslog or rsyslog) server:

  1. Install syslog-ng:

    • For Debian-based distributions:

       sudo apt install syslog-ng

    • For Red Hat-based distributions:

       yum install syslog-ng

  2. Edit the /etc/syslog-ng/syslog-ng.conf file:

@version:3.38
@include ‘scl.conf’

options {flush_lines (0); keep_hostname (yes);};

source s_network {
    tcp( ip(0.0.0.0) port(514) );
};

destination d_remote {
    file(‘/var/log/remote/cyberwatch/${PROGRAM}.log’ owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes));
};

log {
    source(s_network);
    destination(d_remote);
};

This minimal configuration allows TCP syslog connections on any interface on port 514.

When logs are received, syslog automatically generates files in the /var/log/remote/cyberwatch/${PROGRAM}.log directory, using the ${PROGRAM} variable to create a distinct file for each container.

The syslog documentation provides details of additional configuration options, like TCP+TLS connection or restricting connections to a single IP address.

The syslog server configured, restart the service:

sudo systemctl restart syslog-ng

Then, once the syslog-ng server is started, on the Cyberwatch instance, create the /etc/cyberwatch/configs-enabled/99-custom-log.yml file :

x-logging: &logging
  logging:
    driver: "syslog"
    options:
      syslog-address: "tcp://10.3.0.10:514"
      tag: "{{.Name}}"

services:
  nginx:
    <<: *logging
  web:
    <<: *logging
  sidekiq:
    <<: *logging
  sidekiq_node:
    <<: *logging
  sidekiq_master:
    <<: *logging
  redis:
    <<: *logging
  kibana:
    <<: *logging
  web-scanner:
    <<: *logging
  db:
    <<: *logging
  elasticsearch:
    <<: *logging
  cache:
    <<: *logging

The syslog-address option contains the protocol, IP address and port information to connect to the syslog server configured in the previous step.

The tag variable will be used to name the file created on the syslog server, which in this case will correspond to the name of the container thanks to the {{.Name}} variable.

Once this has been done, restart Cyberwatch to apply the changes:

sudo cyberwatch restart

Back to top