How should I monitor whether Windows event logs and syslogs are successfully transferred to CloudWatch Logs?



Logs generated by the server (e.g., event logs and syslogs) are forwarded to CloudWatch Logs using CloudWatch Agent. Log groups are configured in units of event logs and syslogs, and log streams are configured in units of instances.

In this configuration, how should I check the correctness of the log forwarding? I'm concerned that I will find out that the logs are not being forwarded when I need them. (Such as after an automatic upgrade of the CloudWatch Agent. Is this something I should not be concerned about in the first place)

Best Regards,

asked a year ago377 views
2 Answers
Accepted Answer

To confirm, if the logs are collecting correctly, we can check on both log group level and cloudwatch agent level. Let me explain.

---- Log Group Level -----

Cloudwatch is a repository service which means source pushes the log data in log group. Hence, you can monitor the log group by checking logstream creationtime and lastIngestionTime, If you are observing the creationtime or lastIngestionTime is not recent then you can open a case with AWS Support to troubleshoot. Please note that there is no native solution to check creationtime or lastIngestionTime automatically, you have to check log group manually.

As mentioned above, if logs are not collecting properly then there could be issue with either Source[EC2 instance] or Agent.

First check EC2 instance state, If it is running properly then we have to check on cloudwatch agent level.

---- CloudWatch Agent Level -----

There is currently no native solution from the CloudWatch side to send notifications when the CloudWatch Agent service is down on an EC2 instance. Since CloudWatch Agent is an add-on service installed at the OS level, the maintenance of this service is managed by the instance and not the CloudWatch service. That being said, There are couple of work-around, which can help you to monitor the agent status:

  1. You can use SSM command 'AmazonCloudWatch-ManageAgent' in order to check agent status. If it is not running then you will need to restart the agent.

  2. Cloudwatch agent pushes agent logs to the file

'$Env:ProgramData\Amazon\AmazonCloudWatchAgent\Logs\amazon-cloudwatch-agent.log'. You can push this file to cloudwatch using agent itself.

If there are any errors, failure then agent will logs these in the same log file. With the logs, you can monitor for error, failure.

In case if agent has any failure, issue then you will need to check errors and perform required actions. There is no automation for recovery of agent failure.

profile picture
answered a year ago

Thank you very much, very helpful. We have confirmed the contents.

Best Regards,

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions