CloudWatch

CoudlWatch collects logging infomration.

Can come from EC2, Route 53, and CloudTrail

It is the standard way in AWS to monitor services.

CloudWatch Metrics:

• Built in monitoring and reporting.

• Alarms can be created that send to SNS topics.

• Graphical dashboards can be created.

What can cloudwatch be used for

• Monitoring log data.

• Log Metrics and filters.

• Threshold alarms - alarms after something happens - eg 4 failed logins.

• Notifications - Cloudwatch can send SNS notifications.

Cloudwatch alarms can:

• Notify using SNS

• Perform automated actions - maybe spin up additional EC2 instances.

Cloudwatch logs

Some terminology:

• Filter pattern - Allows to filter what logs get forwarded to the destination.

• Log events - The log data itself - in utf8 format.

• Log streams - these are log events that share the same source. Each event is a line in the file.

• Log groups - These are a group. There is no limit to how many log streams can be part of a group.

• Retention sessions - exactly how it sounds.

By defauly logs do not expire - this can cause addiitonal costs.

You can select a period from 1 day to 10 years for retention & automatically delete older logs.

Cloudwatch Agent on EC2

This enables more detailed infomation and logs from an EC2 instance.

• Two new IAM roles are required:

• First role: Collects log data for CloudWatch.

EC2 --> CouldWatch

• Second role: Handles communcation with systems mamanger service - for the configuration file.

Systems Manager --> EC2

If you are rolling out a unified system with EC2 instances this second role is critical - allows you to configure each instance quickley.

Searching CloudWatch Logs

The following capabilities are provided out of the box:

• Text search

• Filter by expressions

• Metric filters - Filter metrics based on log data.

• Log Insights - Can run hoc queries and visualize data with tables anf graphs - dashboard stuff.

Using metric filters

Metric filters pull data from log events.

This can be used to look for various terms in the log files.

A good example, searching for Access Denied in access logs, or Error 500 in app server logs.

These could used to issue a cloudwatch alarm is a threshold is exceeded.

CloudWatch Alarms

These monitor metrics and send alarms such as SNS alerts is metrics are exceeded.

The alarm monitors a cloudwatch metric.

A threshold is set for the metric.

A action is set for the alarm.

Actions sould be systems manager events, SNS notifications our autoscaling options.

Alarms have limits:

• Names must be in ASCII

• 5,000 alarms per region per account.

• Alarms can be added to CloudWatch dashboards.

• Can be tested with SetAlarmState.

• History is saved for 14 days.