EC2 Windows - CloudWatch Agent not creating "Log Group" for customs file logs

0

Hello,

I created an EC2 Windows instance and installed the CloudWatch Agent, I run the configuration wizard and added the Windows System logs and custom file location as in can be seen here:

{
	"logs": {
		"logs_collected": {
			"files": {
				"collect_list": [
					{
						"file_path": "C:\\Logs\\appplication.log",
						"log_group_name": "My-Logs",
						"log_stream_name": "{instance_id}",
						"retention_in_days": 1
					}
				]
			},
			"windows_events": {
				"collect_list": [
					{
						"event_format": "xml",
						"event_levels": [
							"VERBOSE",
							"INFORMATION",
							"WARNING",
							"ERROR",
							"CRITICAL"
						],
						"event_name": "System",
						"log_group_name": "WindowsEventSystem",
						"log_stream_name": "{instance_id}",
						"retention_in_days": 1
					}
				]
			}
		}
	}

I tried different "file_path" formats for the custom logs and entered text in the file but still the "Log Group" does not get created in CloudWatch only the WindowsEventSystem

"C:/Logs/appplication.log", "C:\Logs\appplication.log" "C:\\Logs\\appplication.log",

Enter image description here

Custom Logs: Enter image description here

Policy attached to the EC2 instance:

Enter image description here

Any help will be appreciated. Thanks

  • Is it possible to create subscription filter as part of this config file?

  • I am also facing the same issue. Any one has a solution for this yet?

  • I am having the exact same issue as well, only Windows events were pipe to CloudWatch but not the customised log files. Anyone has the solution?

  • @eugenelq: I got it working with Matt B's answer below (refer the link in his answer). Also, try again with a fresh / new EC2 instance.

cwonaws
asked 2 years ago1947 views
3 Answers
0

Suggest you try escaping the directory separator in the file_path e.g. "C:\\Logs\\appplication.log" (or maybe due to typo in the file name (ppp)) and the file doesn't exist?

AWS
Pete_D
answered 2 years ago
  • Thank you Pete_D. I have added an image showing the file path and file. The file path and file exists. My latest version of the configuration file is using your and Matt-B suggestion for the path. Thank again.

  • Have you had a look at the CWAgent log file, this is normally in C:\ProgramData\Amazon\AmazonCloudWatchAgent\Logs, this may give some clues.

0

Hi There

Please try using "C:\\Logs\\appplication.log" for the file_path

Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html#CloudWatch-Agent-Configuration-File-Logssection

the following is an example of a logs section.

"logs":
   {
       "logs_collected": {
           "files": {
               "collect_list": [
                   {
                       "file_path": "c:\\ProgramData\\Amazon\\AmazonCloudWatchAgent\\Logs\\amazon-cloudwatch-agent.log",
                       "log_group_name": "amazon-cloudwatch-agent.log",
                       "log_stream_name": "my_log_stream_name_1",
                       "timestamp_format": "%H: %M: %S%y%b%-d"
                   },
                   {
                       "file_path": "c:\\ProgramData\\Amazon\\AmazonCloudWatchAgent\\Logs\\test.log",
                       "log_group_name": "test.log",
                       "log_stream_name": "my_log_stream_name_2"
                   }
               ]
           },
           "windows_events": {
               "collect_list": [
                   {
                       "event_name": "System",
                       "event_levels": [
                           "INFORMATION",
                           "ERROR"
                       ],
                       "log_group_name": "System",
                       "log_stream_name": "System"
                   },
                   {
                       "event_name": "CustomizedName",
                       "event_levels": [
                           "INFORMATION",
                           "ERROR"
                       ],
                       "log_group_name": "CustomizedLogGroup",
                       "log_stream_name": "CustomizedLogStream"
                   }
               ]
           }
       },
       "log_stream_name": "my_log_stream_name"
}

Also here is a good walk-through (lab) for setting up CW Logging on a windows server

https://catalog.us-east-1.prod.workshops.aws/workshops/ace21ec3-c22b-484d-8e0d-4b497eadfc66/en-US/2-monitoring-microsoft-workloads-on-aws/cwlog

profile pictureAWS
EXPERT
Matt-B
answered 2 years ago
  • Thank you Matt-B, I appreciate the time. I did try the format you indicated "C:\Logs\appplication.log" and still the CloudWatch does not create the "Log Group" "My-Logs". Thanks again.

0

I addition to the other replies, I would verify that the role attached to the instance has the IAM permissions for logs:CreateLogGroup

profile picture
kyager
answered 2 years ago
  • Thank you Kyager. The policy has that permission. I have attached an image showing the entire policy.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions