Greengrass LogManager not pushing logs to cloudwatch

0

I setup an IoT greengrass core device with the aws.greengrass.LogManager plugin but its not pushing logs to cloudwatch. I created the GreengrassV2TokenExchangeRole + policy with cloudformation (since i want to manage the role and policy myself and deploy it to multiple accounts) and passed that to the greengrass installer as an argument. The policy is of the same type (customer managed) and has the same permission scope as when the installer creates it, Im not sure if this is actually causing issues for the component but I really dont know what else it could be.

Questions:

  • Is it possible to manage the IAM policy and role in cloudformation and have AWS greengrass nucleus use it?
  • Should i even be doing it like this?
  • if no then Is there a different/better approach to achieve this?

Side notes

  • There are no errors about the logmanager not being able to push logs to cloudwatch in the greengrass.log file.
  • The access adviser of the policy i see that it has never been accessed throughout the tracking period.
  • Having Greengrass create the roles and policies itself works.
  • When you say "Having Greengrass create the roles and policies itself works.", this means that when Greengrass created the role for you it is then able to upload the logs to CloudWatch? If that is true it sounds like you may have an issue with the IoT Role Alias. If that is the case, then you would see errors in greengrass.log when it tries to use the Role Alias. Common issues here would be that the IAM Role does not have credentials.iot.amazonaws.com as the trusted service.

  • Does your LogManager deployment configuration specify some log files to upload? Either in systemLogsConfiguration or componentLogsConfigurationMap?

  • "Enable logging to CloudWatch Logs" section here covers what you need to upload log to Cloudwatch. Do you have both the needed IAM policy and "uploadToCloudWatch": true config?

  • @MichaelDombrowski-AWS Thanks for pointing that out. Strange thing is that, to the role there are other policies attached, (eventbridge and S3) these were accessed just fine, only Cloudwatch was not accessed. This is the trust policy that is attached to the role. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "credentials.iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

  • @AWS-User-8932345 & @Ryan_B Yeah, my config looks like this:

    { "reset": [], "merge": { "logsUploaderConfiguration": { "systemLogsConfiguration": { "uploadToCloudWatch": "true", "minimumLogLevel": "INFO", "diskSpaceLimit": "10", "diskSpaceLimitUnit": "MB", "deleteLogFileAfterCloudUpload": "false" }, "componentLogsConfigurationMap": { "com.<company>.<component>": { "minimumLogLevel": "INFO", "diskSpaceLimit": "20", "diskSpaceLimitUnit": "MB", "deleteLogFileAfterCloudUpload": "false" } } }, "periodicUploadIntervalSec": "300" } }

2 Answers
0

Hi,

I have a slightly different issue with deploying the LogManager: It only forwards the System logs not the custom component's logs. Here's the configuration:

{
  "reset": [],
  "merge": {
    "logsUploaderConfiguration": {
      "systemLogsConfiguration": {
        "uploadToCloudWatch": "true",
        "deleteLogFileAfterCloudUpload": "false"
      }
    },
    "componentLogsConfigurationMap": {
      "com.<company_name>.<custome_component>": {
        "minimumLogLevel": "INFO",
        "deleteLogFileAfterCloudUpload": "false"
      }
    },
    "periodicUploadIntervalSec": "300"
  }
} 

Wondering if I need to include the "uploadToCloudWatch": "true" for the component too?

Tuan
answered 6 months ago
0

Hi, Are you still facing this issue? What version of log manager are you using, and could you share the part of greengrass.log file that show log manager getting started up and doing any work, if you can share debug logs, that will be more helpful. You said S3 and EventBridge access work fine, does that mean you are able to access those from the Greengrass core device using the TokenExchangeService component? (to confirm if the IoT role alias is set up correctly)

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions