CloudWatch

From Bitpost wiki
Jump to: navigation, search
           The AWS CloudWatch service allows logging from EC2 instances to be gathered in a central location.  It is available within Amazon's GovCloud environment.
           You should set up an AWS CloudWatch service,
           and set up a CloudWatch agent on each endpoint for which you want to gather logs.
           Instructions are provided for linux and Windows.
           Mac systems may be able to follow linux instructions (to be verified).
           Set up CloudWatch in a GovCloud VPC:
               * Get a GovRamp account
               * Create some EC2 instances, recommended to be tagged with a "stack" tag, eg:
                   Name: mbehrnsm-stack    Value: cloudwatch1      (<-customize these)
                   * Set up a RHEL micro EC2 instance with CloudWatch monitoring initially set to enabled
                   * Set up a Windows 2016 micro EC2 instance with CloudWatch monitoring initially set to enabled
               * Set up a CloudWatch group in your target region, eg:
                   https://console.amazonaws-us-gov.com/cloudwatch/home?region=us-gov-west-1#logs:
                       Logs > Actions > Create log group > Log Group Name > MyCloudWatchGroup (<-customize this)
                   * set up streams underneath the group, one for each EC2 Instance
                       Note that these streams may be autocreated when you run the instance agent, but you can also pre-create them:
                           select your group MyCloudWatchGroup > Create Log Stream > Log Stream Name > MyCloudWatch-linux-stream (<-customize this)
                           select your group MyCloudWatchGroup > Create Log Stream > Log Stream Name > MyCloudWatch-windows-stream (<-customize this)
               * set up an IAM Role which will be used by agents to access CloudWatch resources
                   https://console.amazonaws-us-gov.com/iam (AS ADMINISTRATOR)
                       > Roles > Create new role > AWS Service Role > Amazon EC2 > Select
                           > Filter: CloudWatch > (select all)
                           > Filter: AmazonSSMFullAccess > (select - NOTE that this allows Run command to install Windows agent)
                       > Next > Create role > Name: MyCloudWatchAccess (<-customize this)
           Set up linux CloudWatch agent:
               * attach the CloudWatchAccess role to the EC2 instance
                   https://console.aws.amazon.com/ec2/
                       > right-click Instance > Instance Settings > Attach/Replace IAM role
                           > select MyCloudWatchAccess role > Apply
               * Follow this guide to run a python script that installs the agent:
                   https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
                   [ec2-user@ip-172-31-29-104 ~]$ sudo python ./awslogs-agent-setup.py --region us-gov-west-1
                       Destination Log Group name: mbehrnsm-cloudwatch1
                       Log Stream > 3 (custom) > MyCloudWatch-linux-stream
           Set up windows CloudWatch agent:
               * attach the CloudWatchAccess role to the EC2 instance
                   https://console.aws.amazon.com/ec2/
                       > right-click Instance > Instance Settings > Attach/Replace IAM role
                           > select MyCloudWatchAccess role > Apply
               * use the AWS console to set up CloudWatch agent on the instance
                   EC2 > Systems Manager Services sidebar > Run Command
                   https://console.amazonaws-us-gov.com/ec2/home?region=us-gov-west-1#Commands:CommandId=9b65649f-82da-4b16-838c-c18644fbc211;sort=CommandId
                       > Run a command >
                           select AWS-ConfigureCloudWatch
                           select the windows EC2 instance manually (if you don't see it, review your IAM permissions, see above)
                           Execute on: 1
                           Stop after: 1
                           Status: Enabled
                           Properties: paste JSON
                               Follow this guide to generate a JSON file that defines the logging that will occur:
                               https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartWindows2016.html
                               See the attached example.