How can I centrally log application data?

Problem

There's a security requirement to have centralized application logging. How can I do that?

Solution

The easiest way to do this is to take advantage of the Cloudwatch agent that's already installed on the "CIS Secure" images offered as part of a Moderate or High risk data space. To do so:

  1. Edit the file /var/awslogs/etc/awslogs.conf . If this file does not exist, the cloud watch agent is not set up and will have to be installed first.
  2. Add a stanza like the one below to the bottom of the file. Parts in bold should be edited to match the specifics of what you want logged. Make sure the path is correct and that the log_stream_name contains a description of what the file is in the third pipe separated field (no spaces are allowed). {instance_id} and {ip_address} can be left as is, they will get replaced automatically with the actual values.



[/var/log/httpd/error_log]
file = /var/log/httpd/error_log
log_group_name = Application_Logs
datetime_format = %b %d %H:%M:%S
log_stream_name = {instance_id}|{ip_address}|httpd_error_log


3. Restart the cloudwatch agent with the command 

sudo service awslogs restart

4. Logs will begin being sent to Cloudwatch.