By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Post a Log to Cloudwatch log group with aws-java-sdk 1.11.817

1

I am trying to post a log to cloudwatch from an ElasticBeanstalk Tomcat. I get the error: ...is not authorized to perform: events:PutEvents on resource: arn...:event-bus/default because no identity-based policy allows the events:PutEvents action... I understand that I need to attach an additional policy to the aws-elasticbeanstalk-service-role role ? But what policy ? Is there a built-in amazon template for that ?

I would like to publish certain logs directly to my own cloudwatch loggroup from my Elastic Beanstalk server. I am trying to follow this post: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-cloudwatch-send-events.html and It does not gives me error on my local machine, but I don't know where the logs are!

Thanks.

Topics
ComputeManagement & GovernanceSecurity, Identity, & Compliance
Tags
AWS Elastic BeanstalkAmazon CloudWatchIAM Policies
Language
English
rePost-User-1545210
asked a year ago734 views
1 Answer
1

Hello there,

Thanks for posting your question on re:Post and helping our community to grow.

I can see that you are trying to directly post a log(Log Event) to your CloudWatch Log Group from your ElasticBeanstalk Tomcat application. Unfortunately, the guide[1] that you are following is not relevant to posting Log event to CloudWatch Log service but it is related to EventBridge service(a.k.a CloudWatch Events) and it is using the PutEvents[2][3] API call you can refer to the links for more information about the API. PutEvents API call publishes an Event to Event Bus, a resource on EventBridge service that receives events from AWS services(default EventBus) and other custom events(custom EventBus).

So to post a Log Event to your CloudWatch Log Group, we need to use PutLogEvents[4] API call and you can refer to [5][6] for information on Java SDK. Ideally on the RequestParameters you need to provide the logEvents, logGroupName, logStreamName, sequenceToken which are required to issue the call.

Regarding the IAM permissions required to post a Log(PutLogEvents) ideally what you need is logs:PutLogEvents. You can refer to this page[7] for ElasticBeanstalk resources and the permission required for logging instance logs to CloudWatch. Presumably you are using the EC2 instance profile attached to the Elastic Beanstalk instance to put the Log Events to CloudWatch Log Group, so this permission can be used here:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

I also would like to suggest that you check this page[8] if this is covering what you are trying to achieve and see if you want to use this available logging feature from ElasticBeanstalk service.

Thanks again for your question and I trust that above information help you with progressing further in your tasks.

Regards, Munkhbat

AWS
SUPPORT ENGINEER
Munkhbat_T
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content