This is one of those “holy grail” things that I’ve been after for years. The solution that I think makes the most sense is to use a solution that pushes Watchdog messages out over http to an endpoint for an external log aggregator like Loggly, Splunk, or maybe your own locally-hosted ELK stack.
Amitai Burstein from Gizra wrote about this years ago, and Giza actually published a D7 contrib module (later ported to D8) to support this very use case:
The one catch for our team to use this is that our on-prem Splunk instance only accepts HTTP endpoint connections from whitelisted IP addresses, and that doesn’t work with Pantheon because of https://pantheon.io/docs/outgoing-ips/.
We’ve investigated this with Pantheon support and our own logging team multiple times over the past few years, with no easy solutions in sight. So my advice to you is to try to use a log aggregator that doesn’t require IP whitelisting.
As a final note – you could probably easily modify the code from the
logs_http module to do what you suggested and write the Watchdog logs to a file. But the catch there is you would be writing them to the files directory for your Drupal site (since that’s the only part of the container filesystem that is writable by your Drupal site), which doesn’t seem like a great idea.
One other possible solution that was suggested was to use the
drush watchdog:show command to pull the logs on an external host and write them to your log aggregator from there. That might work okay for a couple of sites, but probably wouldn’t scale very well.