CSAP CloudWatch Logs

  Amazon Web Services (AWS), Certified Solutions Architect Professional

Main Menu

Menu

  • Understanding CloudWatch Logs
  • Pushing Linux system logs to CloudWatch

Understanding CloudWatch Logs

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13308272?start=0

Centralized Log Solutions

  • A server can contain a lot of log files – from system logs to the application logs.
  • During debugging, it is important to have log files at hand.
  • By default, since the log files are stored directly on the server, this means the individual that needs to debug must have access to that server.
    • This is considered poor security.  Developers should not have access to the server.
  • The better solution is to push the log files to a centralized S3 bucket.

Pushing Linux system logs to CloudWatch

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13308276?start=0

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

Step 1: Create the CloudWatch Log policy

  • EC2 instance must be able to create a log group in CloudWatch then push the logs there.
    • Region > EC2 > Instances > Select Instance > IAM role > Click the IAM role name
    • > Roles > Summary > +Add inline policy
    • > Create policy > JSON

 

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:DescribeLogStreams"
         ],
         "Resource": [
            "arn:aws:logs:*:*:*"
         ]
      }
   ]
}
  • [ Review policy ]
  • > Review policy
    • Name: CloudWatchLogs
    • [ Create policy ]

Step 2: Install the CloudWatch agent

AWS Linux

Install the agent

sudo yum update -y
yum install -y awslogs

Edit /etc/awslogs/awscli.conf to use the correct region

nano /etc/awslogs/awscli.conf
region =

Edit /etc/awslogs/awslogs.conf to enter the Log Group name

  • This can be used to add additional log files.
  • Use different log group names for different log files
  • it is recommended to restrict permissions to these files only to uses that require that access.
    • SysAdmins need the messages logs while Dev does not.
nano /etc/awslogs/awslogs.conf
[/var/logs/messages]
...
file = /var/log/messages
...
log_group_name = /var/logs/messages

Start the log service

service awslogs start

Ubuntu, CentOS and RedHat

Update the packages

sudo apt-get update -y
sudo yum update -y

Download the agent

curl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -O

Install the agent
* Note: you must specify what region you are exporting your logs to.

sudo python ./awslogs-agent-setup.py --region us-east-1

or

sudo python3 ./awslogs-agent-setup.py --region us-east-1

 

3:04

LEAVE A COMMENT