xpk
d06549c15c
|
||
|---|---|---|
| tasks | ||
| templates | ||
| README.md | ||
README.md
awslog agent
this role install awslog agent which sends syslog to cloudwatch. the default config sends /var/log/messages to cloudwatch. the default config is shown below.
[/var/log/messages]
datetime_format = %Y-%m-%d %H:%M:%S
file = /var/log/messages
buffer_duration = 5000
log_stream_name = {hostname}
initial_position = start_of_file
log_group_name = linux-syslog
requirements
instances need the following cloudwatch log permissions. Create a policy with these privileges and attach as instance role
- CreateLogStream
- DescribeLogStreams
- CreateLogGroup
- PutLogEvents
s3 bucket policy
If the cloudwatch logs need to be exported to s3, the bucket needs the following policy. The third statement is irrelevant to this role, but it allows ALB to write log to the s3 bucket.
{
"Version": "2012-10-17",
"Id": "CHG0194311",
"Statement": [
{
"Sid": "Stmt1438571420001",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::MY-S3-BUCKET"
},
{
"Sid": "Stmt1438571420002",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MY-S3-BUCKET/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Stmt1429136633762",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::127311923021:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MY-S3-BUCKET/lb/*"
}
]
}