EC2 Log to CloudWatch

With the ever-growing demand for accountability, observability, and security in the cloud, understanding the flow and content of system and application logs has never been more crucial. Amazon EC2, as one of the foundational pillars of AWS’s cloud offerings, generates a plethora of logs, providing insights into the operational health and performance of your virtual machines. However, efficiently managing, monitoring, and analyzing these logs in isolation can be challenging.

Enter AWS CloudWatch – a robust monitoring service that allows for near real-time tracking of your AWS resources. By sending your EC2 logs to CloudWatch, you not only centralize your logs but also leverage AWS’s powerful log querying, alerting, and dashboarding capabilities. This blog post aims to guide you through this integration, ensuring that you can make the most out of your EC2 log data.

Benefits of sending EC2 logs to CloudWatch:

  • Centralized Logging: Streamline your logging strategy by centralizing EC2 logs with logs from other AWS services.
  • Real-time Monitoring: Quickly spot issues, anomalies, or trends in your EC2 instances.
  • Alerting & Notifications: Set up alarms based on specific log patterns or metrics, ensuring timely intervention when needed.
  • Retention & Archival: Define log retention policies and integrate them with services like AWS Glacier for long-term storage.

Prerequisites

Before diving into the integration details, it’s essential to ensure that you have the necessary setup and permissions in place.

  • AWS Account: If you haven’t already, sign up for an AWS account. This provides access to AWS services, including EC2 and CloudWatch.
  • Basic Understanding of EC2 & CloudWatch: Familiarize yourself with the core concepts and terminologies of EC2 (such as instances, AMIs, and security groups) and CloudWatch (like metrics, alarms, and log streams).
  • IAM User with Necessary Permissions: Ensure you have an IAM user with permission to configure EC2, CloudWatch, and related services. This user should have the AmazonEC2FullAccess and CloudWatchLogsFullAccess permissions at a minimum.
  • Running EC2 Instance: For this guide, it’s assumed that you already have an EC2 instance running. If not, AWS provides detailed documentation on launching an EC2 instance.

Understanding EC2 Logs

When we refer to “EC2 logs,” we are typically speaking about a variety of logs that can be generated by operations within an EC2 instance. These include:

  • System Logs: These logs provide information about the system operations of your EC2 instances. They are invaluable for debugging issues related to instance launches or failures. By default, you can access these logs via the EC2 console under the “Instance Settings” and “Get System Log” options.
  • Application Logs: If you are running applications on your EC2 instance, these applications might generate their logs. These logs’ location and content will largely depend on the application and the chosen logging configuration.
  • Custom Logs: You might have custom scripts or software running on your EC2 instance that produce unique logs. Configuring these logs for CloudWatch will depend on your specific setup.
  • Security Logs: Logs related to security events, such as SSH logins, firewall changes, or unauthorized access attempts. On Linux-based systems, logs like /var/log/auth.log or /var/log/secure might be of interest.

Understanding the types and content of these logs is the first step toward a robust logging strategy. As we delve deeper into integrating EC2 with CloudWatch, we’ll explore how to capture and forward each of these log types effectively.

Setting Up the AWS CloudWatch Logs Agent

Before your EC2 instance can send logs to CloudWatch, you need to set up the CloudWatch Logs Agent. This agent is responsible for monitoring specified log files, and securely transmitting log data to CloudWatch Logs.

Steps:

Installing the Agent: Depending on your EC2 instance’s OS, the installation command might vary. For Amazon Linux or Ubuntu, you can use: 

sudo yum install -y awslogs

For other OS versions, AWS provides detailed installation guides.

Agent Configuration: The agent’s primary configuration file is usually found at /etc/awslogs/awslogs.conf. This file dictates which logs should be monitored and how they should be sent to CloudWatch.

Setting Up AWS Credentials: For the agent to communicate with CloudWatch, it needs the right AWS credentials. Ensure the agent has access to IAM roles with the necessary permissions, or you can manually configure it with access keys (not recommended for production environments).

Starting the Agent: Once configured, you can start the agent with 

sudo service awslogs start

Configuring EC2 to Send Logs to CloudWatch

With the agent installed and running, the next step is to configure your EC2 instance to send logs to CloudWatch.

  1. IAM Role and Policy Requirements: Your EC2 instance requires an IAM role that allows it to write to CloudWatch Logs. Create a new IAM role with the CloudWatchLogsFullAccess policy attached and associate this role with your EC2 instance.
  2. Modifying the CloudWatch Logs Agent Configuration:
    • In /etc/awslogs/awslogs.conf, define the log files you want to monitor.
    • Set the log stream name and log group. You can use variables like {instance_id} to create unique log stream names.
    • Specify the date format of your log entries if they contain timestamp information.
  3. Starting and Monitoring the Agent: With the updated configurations, restart the agent and regularly check the /var/log/awslogs.log file to ensure that logs are being sent without issues.

Searching and Analyzing Logs in CloudWatch

Once your logs are in CloudWatch, AWS offers a suite of tools to help you sift through the data.

Navigating the CloudWatch Console: Access your logs by opening the CloudWatch console, selecting “Logs” from the sidebar, and choosing the log group associated with your EC2 instance.

Basic Querying Techniques: Use CloudWatch Logs Insights to query your logs. This powerful tool lets you execute searches, apply filters, and even use aggregations to better understand your log data. Example query

fields @timestamp, @message 
| filter @message like /ERROR/ 
| sort @timestamp desc 
| limit 20

Setting Up Metrics & Alarms: With CloudWatch, you can create custom metrics based on specific log patterns. For instance, you might want to track the number of “ERROR” entries in your logs. Once these metrics are set up, you can configure alarms to notify you when specific thresholds are breached, ensuring you’re immediately aware of potential issues.

Automating the Log Shipping Process

For environments where there is frequent provisioning and decommissioning of EC2 instances, automating the setup of CloudWatch Logs can be invaluable.

  1. Using EC2 User Data Scripts:
    • When launching an EC2 instance, you can utilize the user data section to automate the installation and configuration of the CloudWatch Logs agent.
    • Provide a shell script that automates the steps discussed in previous sections (installing the agent, configuring, and starting it).
  2. Leveraging AWS Systems Manager (SSM):
    • AWS SSM provides a method to run commands across a fleet of EC2 instances. Use SSM Run Command to distribute and initiate the CloudWatch Logs agent setup.
    • Additionally, the SSM State Manager can ensure the agent is always running on your instances.
  3. Implementing CloudFormation or Terraform Templates:
    • Infrastructure-as-code solutions like AWS CloudFormation or Terraform allow you to define and provision AWS infrastructure using code.
    • Define the EC2 instance, necessary IAM roles, and CloudWatch Logs configurations in a template. This way, every provisioned EC2 instance automatically has the logging setup.

Best Practices

Effective logging isn’t just about capturing logs but also ensuring their quality, security, and usability.

  1. Log Retention & Rotation Policies:
    • CloudWatch allows you to specify retention policies for your logs. Determine how long you need to retain logs and set an appropriate policy to avoid unnecessary costs.
    • On the EC2 instance side, configure log rotation to prevent log files from consuming all available disk space.
  2. Securely Handling Sensitive Information:
    • Ensure that logs don’t capture sensitive information like passwords, API keys, or personally identifiable information (PII).
    • Consider using AWS KMS to encrypt log data in CloudWatch for added security.
  3. Monitoring and Alerting on Critical Log Events:
    • Beyond system metrics, set up CloudWatch Alarms on specific log patterns that signify critical issues or failures.
    • Integrate CloudWatch with notification services like Amazon SNS to get real-time alerts.

Troubleshooting Common Issues

Despite best efforts, you may encounter challenges when setting up or maintaining your EC2-to-CloudWatch logging pipeline.

  1. Ensuring Correct IAM Permissions:
    • Log shipping failures often stem from permission issues. Always verify that your EC2 instance’s IAM role has the correct permissions for CloudWatch Logs.
  2. Verifying Agent Connectivity & Configuration:
    • Check the agent’s log file, typically located at /var/log/awslogs.log, for any errors or warnings.
    • Ensure that your EC2 instance has internet access, either through a direct connection or via a VPC endpoint, to communicate with CloudWatch Logs.
  3. Addressing Common Error Messages:
    • “DataAlreadyAcceptedException”: This indicates a log event was sent with a timestamp older than any existing event in the log stream. Ensure your system clock is synchronized.
    • “InvalidSequenceTokenException”: This often occurs if there is a mismatch between the sequence token provided and the expected value on CloudWatch’s end. This can sometimes resolve on its own, but if it persists, consider restarting the agent.

Conclusion

Logging is an integral part of any system’s operations, offering valuable insight into application health, system performance, and potential security vulnerabilities. By integrating EC2 logs with CloudWatch, AWS users harness the power of centralized logging. With this setup, real-time monitoring, alerting, and in-depth analysis of logs become seamlessly integrated parts of an AWS-centric operational workflow.

By following this guide, you have set up an EC2 instance to ship its logs to CloudWatch, ensuring they’re stored and rotated appropriately, and are now well-equipped to troubleshoot potential issues.

Frequently Asked Questions (FAQ)

  1. What is AWS CloudWatch?
    • AWS CloudWatch is a monitoring and observability service that provides data and actionable insights to monitor applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.
  2. Why should I send EC2 logs to CloudWatch?
    • Centralizing your EC2 logs in CloudWatch provides an integrated logging solution where you can monitor, alert, and archive logs alongside metrics, allowing for streamlined troubleshooting and enhanced observability.
  3. How much does it cost to use CloudWatch for logging?
    • CloudWatch Logs pricing is based on the ingestion and storage of logs, as well as any additional features like CloudWatch Logs Insights queries. Check the official AWS pricing page for detailed information.
  4. Is the data sent to CloudWatch Logs encrypted?
    • Yes, data sent to CloudWatch Logs is encrypted in transit and at rest. For enhanced security, you can also integrate with AWS KMS for custom encryption keys.
  5. Can I send logs from non-AWS sources to CloudWatch?
    • Absolutely! While this guide focuses on EC2, the CloudWatch Logs Agent can be installed on on-premises servers, allowing you to send logs from virtually anywhere to CloudWatch.
  6. What if my EC2 instance does not have internet access?
    • If your EC2 instance resides within a Virtual Private Cloud (VPC) without direct internet access, you can set up VPC endpoints to allow logs to be delivered to CloudWatch without traversing the public internet.
  7. How do I handle sensitive information in logs?
    • Always ensure that sensitive information (like passwords or API keys) is either not logged or is obfuscated. AWS also provides tools like AWS Secrets Manager to manage sensitive information without exposing it in logs.
  8. Can I integrate CloudWatch with third-party monitoring tools?
    • Yes, CloudWatch provides integration capabilities with popular monitoring solutions like Datadog, New Relic, and others through AWS partner programs and APIs.
  9. What is the retention period for logs in CloudWatch?
    • CloudWatch Logs allows you to specify retention settings for each log group, ranging from one day to indefinitely.
  10. I’m facing issues with the CloudWatch Logs Agent. Where can I find help?
  • Start by checking the agent’s log files for any error messages. AWS also provides extensive documentation, forums, and support channels to assist with troubleshooting.

Atiqur Rahman

I am MD. Atiqur Rahman graduated from BUET and is an AWS-certified solutions architect. I have successfully achieved 6 certifications from AWS including Cloud Practitioner, Solutions Architect, SysOps Administrator, and Developer Associate. I have more than 8 years of working experience as a DevOps engineer designing complex SAAS applications.

Leave a Reply