Forwarding logs via syslog so that events can be captured in one line can be accomplished using syslog-ng.
So the first step is to install syslog-ng instead rsyslog which is default on Debian/Ubuntu distros.
Installing syslog-ng on Ubuntu 22.04
wget -qO - https://ose-repo.syslog-ng.com/apt/syslog-ng-ose-pub.asc | sudo apt-key add - echo "deb https://ose-repo.syslog-ng.com/apt/ stable ubuntu-jammy" | sudo tee -a /etc/apt/sources.list.d/syslog-ng-ose.list sudo cp /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d apt-get update apt-get install syslog-ng
Installing syslog-ng on Ubuntu 20.04
wget -qO - https://ose-repo.syslog-ng.com/apt/syslog-ng-ose-pub.asc | sudo apt-key add - echo "deb https://ose-repo.syslog-ng.com/apt/ stable ubuntu-focal" | sudo tee -a /etc/apt/sources.list.d/syslog-ng-ose.list apt-get update apt-get install syslog-ng
Configuring syslog-ng to forward logs to remote syslog server.
In this example we will be forwarding logs to server 192.168.0.101 to port 514.
Create file /etc/syslog-ng/conf.d/tomcat.conf
with the following content:
source s_tomcat {
file("/var/log/tomcat9/application.log"
follow-freq(1)
multi-line-mode(regexp)
multi-line-prefix("[0-9]{4}\.[0-9]{2}\.[0-9]{2}\.")
program-override("application")
multi-line-timeout(20)
flags(no-parse));
};
destination d_remote {
syslog(
"192.168.0.101"
port(514)
transport(tcp)
);
};
log {
source(s_tomcat);
source(s_src);
destination(d_remote);
};
Personally i am using this solution with Graylog.
If the below content needs explaining, please post a comment.