Ref: https://learn.cantrill.io/courses/1820301/lectures/41301604

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301605 and https://learn.cantrill.io/courses/1820301/lectures/41301606

• Summary
• Contents:

CloudWatch Logs for EC2

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1100-ADVANCED_EC2/00_LEARNINGAIDS/LoggingonEC2CWAgent.png

• By default, CloudWatch can monitor external metrics of EC2 instances…
  • CPU utilization
  • Disk R/W operations
  • NW data (IN/OUT)
• ‼️ …but it can NOT natively capture data inside an instance!
  • Internal data is opaque to CW
• 🔧 CloudWatch Agent can be configured inside an EC2 instance
  • Sends (injects) metrics and logs into CW
  • Can capture internal metrics of the instance OS. Examples:
    • Memory utilization
    • More detailed CPU Metrics: idle time, system time, I/O wait time…
  • Can capture system and application logs
    • A log group is configured for each individual log
    • Each instance that performs logging will have a log stream in the log group
  • 💡 Unified CloudWatch Agent is a more modern version of CWLogs Agent. In this section, we assume we're using the modern version.
• Automatic configuration (e.g. via CFN) recommended when deploying at scale
  • CW Agent configuration can be stored in the SSM Parameter Store
    • can be used for many instances
• ❗ CW Agent requires permissions to function properly
  • Instance needs permissions to send/inject/write data to CWLogs
  • Instance needs permissions to store and fetch configuration from SSM Parameter Store (if configuration should be stored there)
  • Best practice: grant permissions via instance role (IAM role)

DEMO: CW Agent configuration steps for A4L Wordpress instance

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301605 and https://learn.cantrill.io/courses/1820301/lectures/41301606

1. Configure IAM role that grants required permissions
   • Type: EC2 Role
   • Add Managed Policy CloudWatchAgentServerPolicy
   • Add Managed Policy AmazonSSMFullAccess
2. Install CW Agent inside the instance: sudo dnf install amazon-cloudwatch-agent
3. Run the configuration wizard of CW Agent:
   • Command: sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
   • Accept all defaults until default metrics, pick advanced there.
   • Specify the log files we want the Agent to inject into CW:
     • /var/log/secure - logs of all secure accesses to the instance
     • /var/log/httpd/access_log - access logs of the Apache web server
       • e.g. accessing index.html
     • /var/log/httpd/error_log - error logs of the Apache web server
       • e.g. accessing a non-existing file and returning 404
4. Store configuration
   • Location inside the instance: /opt/aws/amazon-cloudwatch-agent/bin/config.json
   • Select to store it also in SSM Parameter Store
5. 💡 CW Agent requires this directory and this file to exist in order to start, need to manually add them since they're not there by default in Linux instances:
   1. sudo mkdir -p /usr/share/collectd/
   2. sudo touch /usr/share/collectd/types.db