Forward Tomcat logs to remote syslog

1. Locate Tomcat Logs /opt/tomcat/logs/catalina.out
2. Install rsyslog modules (if not already) sudo yum list rsyslog rsyslog-mmnormalize
   sudo yum update
   sudo yum install rsyslog rsyslog-mmnormalize
3. Create Rulebase File

For example: /etc/rsyslog.d/tomcat.rulebase
rule=:%level:word% %rest:rest%

4. Create rsyslog configuration

For example: /etc/rsyslog.d/30-tomcat.conf

module(load="imfile")
module(load="mmnormalize")

input(type="imfile"
      File="/opt/tomcat/logs/catalina.out"
      Tag="tomcat"
      Severity="info"      # Initial placeholder; will be overridden
      Facility="local6"
      Ruleset="tomcat-parse")

parser(name="tomcat-parser" type="mmnormalize"
       rulebase="/etc/rsyslog.d/tomcat.rulebase")

ruleset(name="tomcat-parse") {
  action(type="mmnormalize"
         parser="tomcat-parser")

  set $.sev = "6"   # default severity: info
  if $!level == "ERROR" then set $.sev = "3"
  if $!level == "WARN" then set $.sev = "4"
  if $!level == "DEBUG" then set $.sev = "7"
  if $!level == "INFO" then set $.sev = "6"

  call tomcat-out
}

ruleset(name="tomcat-out") {
  action(type="omfwd"
         target="your-syslog-server"
         port="514"
         protocol="udp"
         facility="local6"
         severity="$!$.sev")
}

5. Set Permissions
   sudo semanage fcontext -a -t var_log_t “/sandboxapps/apache_FC/logs(/.*)?”
   is used in SELinux (Security-Enhanced Linux) to assign a file context type to a specific directory and its contents.

6. Restart rsyslog
   sudo systemctl restart rsyslog
7. Use tcpdump to verify syslog traffic sudo tcpdump -i any udp port 514
   or
   sudo tcpdump -i any udp port 514 and dst host x.x.x.x

$2.75 per month

HostGator

24/7/365 Technical Support, Free Site Building Tools, 4500 Website Templates, Free Shopping Cart Software, Ideal for WordPress, 45 Day Money Back Guarantee

Go to the deal