The AWS CloudWatch service allows logging from EC2 instances to be gathered in a central location. It is available within Amazon's GovCloud environment.
You should set up an AWS CloudWatch service,
and set up a CloudWatch agent on each endpoint for which you want to gather logs.
Instructions are provided for linux and Windows.
Mac systems may be able to follow linux instructions (to be verified).
Set up CloudWatch in a GovCloud VPC:
* Get a GovRamp account
* Create some EC2 instances, recommended to be tagged with a "stack" tag, eg:
Name: mbehrnsm-stack Value: cloudwatch1 (<-customize these)
* Set up a RHEL micro EC2 instance with CloudWatch monitoring initially set to enabled
* Set up a Windows 2016 micro EC2 instance with CloudWatch monitoring initially set to enabled
* Set up a CloudWatch group in your target region, eg:
https://console.amazonaws-us-gov.com/cloudwatch/home?region=us-gov-west-1#logs:
Logs > Actions > Create log group > Log Group Name > MyCloudWatchGroup (<-customize this)
* set up streams underneath the group, one for each EC2 Instance
Note that these streams may be autocreated when you run the instance agent, but you can also pre-create them:
select your group MyCloudWatchGroup > Create Log Stream > Log Stream Name > MyCloudWatch-linux-stream (<-customize this)
select your group MyCloudWatchGroup > Create Log Stream > Log Stream Name > MyCloudWatch-windows-stream (<-customize this)
* set up an IAM Role which will be used by agents to access CloudWatch resources
https://console.amazonaws-us-gov.com/iam (AS ADMINISTRATOR)
> Roles > Create new role > AWS Service Role > Amazon EC2 > Select
> Filter: CloudWatch > (select all)
> Filter: AmazonSSMFullAccess > (select - NOTE that this allows Run command to install Windows agent)
> Next > Create role > Name: MyCloudWatchAccess (<-customize this)
Set up linux CloudWatch agent:
* attach the CloudWatchAccess role to the EC2 instance
https://console.aws.amazon.com/ec2/
> right-click Instance > Instance Settings > Attach/Replace IAM role
> select MyCloudWatchAccess role > Apply
* Follow this guide to run a python script that installs the agent:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
[ec2-user@ip-172-31-29-104 ~]$ sudo python ./awslogs-agent-setup.py --region us-gov-west-1
Destination Log Group name: mbehrnsm-cloudwatch1
Log Stream > 3 (custom) > MyCloudWatch-linux-stream
Set up windows CloudWatch agent:
* attach the CloudWatchAccess role to the EC2 instance
https://console.aws.amazon.com/ec2/
> right-click Instance > Instance Settings > Attach/Replace IAM role
> select MyCloudWatchAccess role > Apply
* use the AWS console to set up CloudWatch agent on the instance
EC2 > Systems Manager Services sidebar > Run Command
https://console.amazonaws-us-gov.com/ec2/home?region=us-gov-west-1#Commands:CommandId=9b65649f-82da-4b16-838c-c18644fbc211;sort=CommandId
> Run a command >
select AWS-ConfigureCloudWatch
select the windows EC2 instance manually (if you don't see it, review your IAM permissions, see above)
Execute on: 1
Stop after: 1
Status: Enabled
Properties: paste JSON
Follow this guide to generate a JSON file that defines the logging that will occur:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartWindows2016.html
See the attached example.