By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Add my App's logs to Cloudwatch in AppStream

0

I have set up Appstream for one of our windows apps, I have 2 fleets, one for just showing the APP and one to test the Application using the DESKTOP. My application generates log files, in C:\app-logs\

I have a script that runs at session start that sets everything up and dynamically creates a json config file to collect the logs and upload them to cloudwatch.

The problem I have is I created the cloudwatch log config file with the following data

{
    "logs_collected": {
      "files": {
        "collect_list": [
          {
            "file_path": "C:\\app-logs\\Logs\\*.txt",
            "log_group_name": "my-group-name",
            "log_stream_name": "my-stream-name",
            "timezone": "Local"
          }            
        ]
      }
    }
  }
}

I run this command to append the config to the cloudwatch agent

& "C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1" -a append-config -m ec2 -s -c file:"$configFilePath\myConfigFile.json"

It definitely parses the config file correctly as in the C:\ProgramData\Amazon\AmazonCloudWatchAgent\Configs folder is the file file_myConfigFile.json And it throws the following error

cloudwatch: code: AccessDenied, message: User: arn:aws:sts::<redacted>:assumed-role/InstanceCloudWatchAccessRole/AppStream2.0 is not authorized to perform: cloudwatch:PutMetricData because no identity-based policy allows the cloudwatch:PutMetricData action, original error: <nil>

I have the role created that has these permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CWACloudWatchPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "ec2:DescribeTags",
                "logs:PutLogEvents",
                "logs:PutRetentionPolicy",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords",
                "xray:GetSamplingRules",
                "xray:GetSamplingTargets",
                "xray:GetSamplingStatisticSummaries"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CWASSMPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:PutParameter"
            ],
            "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
        }
    ]
}

And this trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And I run the fleet with that IAM:arn SO then I moved the arn role to the cloudwatch log config

{
  "logs": {
    "credentials": {
      "role_arn": "arn:aws:iam::<redacted>:role/MyAppStreamCloudWatchAgentAdminRole"
    },
    "logs_collected": {
      "files": {
        "collect_list": [
          {
            "file_path": "C:\\app-logs\\Logs\\*.txt",
            "log_group_name": "my-group-name",
            "log_stream_name": "my-stream-name",
            "timezone": "Local"
          }            
        ]
      }
    }
  }
}

And it still throws the same error.

Any ideas on how I can get Cloudwatch to pick my log files up in AppStream ? (I also tried a fetch instead of append to replace the cloudwatch existing config with mine, and it stops the service for some reason.)

Topics
Management & GovernanceNetworking & Content DeliveryEnd User Computing
Tags
Amazon CloudWatchAmazon AppStream
Language
English
JamesH
asked 2 months ago78 views
1 Answer
0
Accepted Answer

Hi there,

The CloudWatch Agent cannot be customized as it is a service dependency for AppStream. Another tool must be used to push logs to CloudWatch Logs.

There is a blog post using the Kinesis Agent for windows. It can be used for this purpose. https://aws.amazon.com/blogs/desktop-and-application-streaming/using-kinesis-agent-for-microsoft-windows-to-store-appstream-2-0-windows-event-logs/

As an aside, AppStream uses a custom profile 'appstream_machine_role' when working with credentials. https://docs.aws.amazon.com/appstream2/latest/developerguide/how-to-use-iam-role-with-streaming-instances.html

IAM roles will use the profile automatically but, anything like the CLI must explicitly state '--profile appstream_machine_role' in order to work.

However, that is not the issue here as we can't modify CloudWatch to start with.

profile pictureAWS
SUPPORT ENGINEER
Reyaad_P
answered 2 months ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed 2 months ago
  • JamesH
    2 months ago

    Thank you for the swift reply. I think my problem is that we are using Elastic Fleets - to install Kinesis that document says that I need to use Image Builder to create the image.

    Am I able to use this image in an Elastic Fleet ?

    EDIT: Ahh, I'm guessing I can use the App Block Builder with the AppBlock.

    Many thanks

  • JamesH
    2 months ago

    So in the end it turns out that exporting any app logs from an Elastic Fleet based app is tricky. As far as I can see, App Blocks and AppBlock builders are noit able to use CloudWatch for bespoke logging. Creating an image and using that isn't possible becuase bespoke images cannot be used for Elastic Fleets.

    In the end I'm writing logs to the Home folder. Not ideal but at least I can export them

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content