68 lines
2.0 KiB
Markdown
68 lines
2.0 KiB
Markdown
# awslog agent
|
|
this role install awslog agent which sends syslog to cloudwatch. the default config sends /var/log/messages to cloudwatch. the default config is shown below.
|
|
|
|
```
|
|
[/var/log/messages]
|
|
datetime_format = %Y-%m-%d %H:%M:%S
|
|
file = /var/log/messages
|
|
buffer_duration = 5000
|
|
log_stream_name = {hostname}
|
|
initial_position = start_of_file
|
|
log_group_name = linux-syslog
|
|
```
|
|
|
|
## requirements
|
|
instances need the following cloudwatch log permissions. Create a policy with these privileges and attach as instance role
|
|
- CreateLogStream
|
|
- DescribeLogStreams
|
|
- CreateLogGroup
|
|
- PutLogEvents
|
|
|
|
## s3 bucket policy
|
|
If the cloudwatch logs need to be exported to s3, the bucket needs the following policy. The third statement is irrelevant to this role, but it allows ALB to write log to the s3 bucket.
|
|
|
|
```
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Id": "CHG0194311",
|
|
"Statement": [
|
|
{
|
|
"Sid": "Stmt1438571420001",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "logs.us-east-1.amazonaws.com"
|
|
},
|
|
"Action": "s3:GetBucketAcl",
|
|
"Resource": "arn:aws:s3:::MY-S3-BUCKET"
|
|
},
|
|
{
|
|
"Sid": "Stmt1438571420002",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "logs.us-east-1.amazonaws.com"
|
|
},
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::MY-S3-BUCKET/*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"s3:x-amz-acl": "bucket-owner-full-control"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "Stmt1429136633762",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::127311923021:root"
|
|
},
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::MY-S3-BUCKET/lb/*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
## references:
|
|
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
|
|
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasks.html
|