AWS CloudWatch Streaming Output and Integration

George Alpizar
George Alpizar
  • Updated

Overview

The AWS CloudWatch output will stream logs to a specified CloudWatch log group.

Before you begin

Before you can create an output, you must have available the CloudWatch log group name and log stream name.


Review Parameters

Review the following parameters that you can configure in the Edge Delta App:

YAML Description
name

Enter a descriptive name for the output or integration.

For outputs, this name will be used to map this destination to a workflow.

This parameter is required. 

Review the following example:

name: cloudwatch-auto
integration_name

This parameter only appears when you create an individual output.

This parameter refers to the organization-level integration created in the Integrations page. If you enter this name, then the rest of the fields will be automatically populated.

If you need to add multiple instances of the same integration into the config, then you can add a custom name to each instance via the name field. In this situation, the name should be used to refer to the specific instance of the destination in the workflows.

This parameter is optional. 

Review the following example:

integration_name: orgs-cloudwatch
type

Enter cloudwatch.

This parameter is required. 

Review the following example:

type: cloudwatch
aws_key_id

If you want to use role-based authentication, then do not enter an AWS key.

This parameter is optional. 

Review the following example:

aws_key_id: '{{ Env "AWS_KEY_ID" }}'
aws_sec_key

If you want to use role-based authentication, then do not enter an AWS secret key.

This parameter is optional. 

Review the following example:

aws_sec_key: '{{ Env "AWS_SECRET_KEY" }}'
region

Enter the AWS region destination to send logs.

This parameter is required. 

Review the following example:

region: us-west-2
role_arn

To assume an AWS IAM role, enter the account ID and role name.

This parameter is optional. 

Review the following example:

role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
external_id

Enter a unique identifier to avoid a confused deputy attack.

This parameter is optional. 

Review the following example:

external_id: "053cf606-8e80-47bf-b849-8cd1cc826cfc"
log_group_name

Enter the CloudWatch log group name.

This parameter is required. 

Review the following example:

log_group_name: test_log_group
log_stream_name

Enter the CloudWatch log stream name.

You can enter a name or prefix, but not both.

This parameter is required. 

Review the following example:

log_stream_name: test_log_stream
log_stream_prefix

Enter the CloudWatch log stream prefix.

You can enter a name or prefix, but not both.

This parameter is required. 

Review the following example:

log_stream_prefix: ecs
allow_label_override

Enter true or false to override the default values for:

  • log group name
  • log stream name
  • log stream prefix

The default values will be replaced based on the configurations for the following labels from your ECS or EKS deployment: 

  • ed_log_group_name
  • ed_log_stream_name
  • ed_log_stream_prefix

This parameter is optional. 

Review the following example:

allow_label_override: true
auto_configure

Enter true or false  to automatically create:

  • LogGroupName in the /ecs/task_definition_family format
  • LogsStreamPrefix in the ecs/container_name/task_id format

This parameter is only supported for ECS environments.

Additionally, only region configurations can be provided.

This parameter is optional. 

Review the following example:

auto_configure: true
host

If you enter a host, then this output will be tailed by the agent.

  • This parameter can be useful to avoid duplicate consumption if you have more than 1 agent running the same agent configuration. 

This parameter is optional. 

Review the following example:

host: "myhost"
features

This parameter defines which data types to stream to the destination.

You can enter logedac, and / or cluster pattern.

To learn more, review the Review Feature Types section in Stream Outputs and Integrations Overview.

This parameter is optional. 

Review the following example:

features: log
buffer_ttl

Enter a length of time to retry failed streaming data.

After this length of time is reached, the failed streaming data will no longer be tried.

This parameter is optional. 

Review the following example: 

buffer_ttl: 2h
buffer_path

Enter a folder path to temporarily store failed streaming data.

The failed streaming data will be retried until the data reaches its destinations or until the Buffer TTL value is reached.

If you enter a path that does not exist, then the agent will create directories, as needed.

This parameter is optional.

Review the following example:

buffer_path: /var/log/edgedelta/pushbuffer/
buffer_max_bytesize

Enter the maximum size of failed streaming data that you want to retry.

If the failed streaming data is larger than this size, then the failed streaming data will not be retried.

This parameter is optional.

Review the following example:

buffer_max_bytesize: 100MB
auto_create

If this parameter is set, then IAM policies will be set.

If this parameter is not set, then log group and log stream will be created.

This parameter is optional. 

Review the following example: 

auto_create: true

Review Sample Configuration

The following sample configuration displays an output without the name of the organization-level integration:

      - name: cloudwatch
        type: cloudwatch
        region: us-west-2
        log_group_name: /ecs/microservice
        log_stream_prefix: ecs
        auto_create: true
        features: log
  • If the auto_create parameter is not set, then you can assign the following permission to taskExecutionRoleArn to put log events into CloudWatch. Review the following example:

        {
          "Version": "2012-10-17",
          "Statement": [{
            "Effect": "Allow",
            "Action": [
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }]
        }
  • If the auto_create parameter is set, then assign the following permission to taskExecutionRoleArn. Review the following example:

        {
          "Version": "2012-10-17",
          "Statement": [{
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogStream",
              "logs:CreateLogGroup",
              "logs:DescribeLogStreams",
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }]
        }

 

Share this document