End to End Setup for Logging to CloudWatch from Amazon Linux

Here is a quick walkthrough to configure logs on Amazon Linux, including IAM role creation.

Let's start with the IAM policy that the role will consume. Go to IAM > Policies > Create Policies, and select 'Create Your Own Policy'

Enter the name, description, and the following text, then click 'Validate Policy'.

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "logs:CreateLogGroup",
       "logs:CreateLogStream",
       "logs:PutLogEvents",
       "logs:DescribeLogStreams"
   ],
     "Resource": [
       "arn:aws:logs:*:*:*"
   ]
 }
]
}

 

After policy has validated successfully, click 'Create Policy'

Now go to IAM > Roles > 'Create Role', and select the Amazon EC2 role type. This will pre configure the trust type for EC2 for you.

Now attache the Policy you made earlier and go to the Next Step

Now name your role and give it a description, then click 'Create Role'. In this case, I made a default IAM role that I can attach other policies to which I want all VMs to have by default. If this is your first time making IAM Roles, this is probably applicable, otherwise you may have other Roles you would rather adjust to consume this policy.

Now, go grab a beverage or something because you will probably run into an error if you try to attach the IAM Role to an instance in the next 10-15 minutes...

Huzzah! Now we've had our beverage and the role should be ready to attach. Go to EC2 > Instances, select your instance, and go to Instance Settings > Attach/Replace IAM Role

Select your Role and apply

Now we're ready to install the awslogs application on the server! SSH into your Amazon Linux instance and run these commands to install it

sudo yum update
sudo yum install awslogs

Start the service and set it to start automatically

sudo service awslogs start
​sudo chkconfig awslogs on

Now you should be able to check the logs for the awslogs server and see successes for log submissions

sudo cat /var/log/awslogs.log

And in CloudWatch Logs

Huzzah! Now you have a basic dump of logs into CloudWatch, and all the capability to alert and report off of that. If necessary, you can do further customizations of what gets sent inside of the /etc/awslogs/awslogs.conf file.

Tutorial Tags: