gja/log4j2.xml

## log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
  <Appenders>
    <Syslog name="syslog" host="localhost" port="4242" protocol="UDP" format="RFC5424" enterpriseNumber="18060" appName="quest" mdcId="quest">
      <LoggerFields>
        <KeyValuePair key="thread" value="%t"/>
        <KeyValuePair key="name" value="%c"/>
      </LoggerFields>
    </Syslog>
    <Async name="AsyncUDPAppender">
      <AppenderRef ref="syslog"/>
    </Async>
  </Appenders>
  <Loggers>
    <Root level="info">
      <AppenderRef ref="AsyncUDPAppender"/>
    </Root>
  </Loggers>
</Configuration>

## post-to-slack.sh
#! /bin/bash

while read; do
  curl -X POST https://hooks.slack.com/services/<your>/<slack>/<hook> -H "Content-Type: application/json" --data-binary @- <<-EOF
{"channel": "#errors", "username": "`hostname`", "text": "${REPLY//\"/\\\"}", "icon_emoji": ":ghost:"}
EOF
done

## rsyslog.conf
module(load="imudp")
module(load="omprog")

template(name="quintype-logfile" type="string" string="/var/log/%programname%/%programname%-%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log")
template(name="quintype-errorfile" type="string" string="/var/log/%programname%/%programname%-error-%$YEAR%-%$MONTH%-%$DAY%.log")

ruleset(name="slack") {
  action(type="omprog" binary="/usr/sbin/post-to-slack" template="RSYSLOG_TraditionalFileFormat")
}

template(name="quintype-log" type="list") {
       property(name="timereported" dateformat="rfc3339")
       constant(value=" ")
       property(name="syslogseverity-text" caseConversion="upper")
       constant(value=" ")
       property(name="hostname")
       constant(value=" ")
       property(name="syslogtag")
       property(name="structured-data")
       constant(value=" ")
       property(name="msg" droplastlf="on" )
       constant(value="\n")
       }

ruleset(name="quintype") {
  action(type="omfile" DynaFile="quintype-logfile" template="quintype-log")
  if $syslogseverity > 4 then stop # Above Warning
  action(type="omfile" DynaFile="quintype-errorfile" template="quintype-log")
  if $syslogseverity > 2 then stop # Above Alerts
  call slack
}

input(type="imudp" port="4242" ruleset="quintype")
	<?xml version="1.0" encoding="UTF-8"?>
	<Configuration status="WARN">
	<Appenders>
	<Syslog name="syslog" host="localhost" port="4242" protocol="UDP" format="RFC5424" enterpriseNumber="18060" appName="quest" mdcId="quest">
	<LoggerFields>
	<KeyValuePair key="thread" value="%t"/>
	<KeyValuePair key="name" value="%c"/>
	</LoggerFields>
	</Syslog>
	<Async name="AsyncUDPAppender">
	<AppenderRef ref="syslog"/>
	</Async>
	</Appenders>
	<Loggers>
	<Root level="info">
	<AppenderRef ref="AsyncUDPAppender"/>
	</Root>
	</Loggers>
	</Configuration>
	#! /bin/bash

	while read; do
	curl -X POST https://hooks.slack.com/services/<your>/<slack>/<hook> -H "Content-Type: application/json" --data-binary @- <<-EOF
	{"channel": "#errors", "username": "`hostname`", "text": "${REPLY//\"/\\\"}", "icon_emoji": ":ghost:"}
	EOF
	done
	module(load="imudp")
	module(load="omprog")

	template(name="quintype-logfile" type="string" string="/var/log/%programname%/%programname%-%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log")
	template(name="quintype-errorfile" type="string" string="/var/log/%programname%/%programname%-error-%$YEAR%-%$MONTH%-%$DAY%.log")

	ruleset(name="slack") {
	action(type="omprog" binary="/usr/sbin/post-to-slack" template="RSYSLOG_TraditionalFileFormat")
	}

	template(name="quintype-log" type="list") {
	property(name="timereported" dateformat="rfc3339")
	constant(value=" ")
	property(name="syslogseverity-text" caseConversion="upper")
	constant(value=" ")
	property(name="hostname")
	constant(value=" ")
	property(name="syslogtag")
	property(name="structured-data")
	constant(value=" ")
	property(name="msg" droplastlf="on" )
	constant(value="\n")
	}

	ruleset(name="quintype") {
	action(type="omfile" DynaFile="quintype-logfile" template="quintype-log")
	if $syslogseverity > 4 then stop # Above Warning
	action(type="omfile" DynaFile="quintype-errorfile" template="quintype-log")
	if $syslogseverity > 2 then stop # Above Alerts
	call slack
	}

	input(type="imudp" port="4242" ruleset="quintype")