| aliases | category | classification | date | date_modified | draft | id | image | links | local_archive_links | pinned | series | tags | title | type | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
aws |
public |
2021-01-11 06:50:45 -0800 |
2021-01-11 06:50:45 -0800 |
false |
20210111145045 |
false |
false |
|
Install AWS CloudWatch Agent on Linux |
tech-note |
wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb --output-document=/tmp/amazon-cloudwatch-agent.deb
sudo dpkg --install --skip-same-version /tmp/amazon-cloudwatch-agent.debCreate an EC2 IAM role with CloudWatchAgentServerPolicy permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
}
]
}Then modify the IAM role associated to the instance you are installing the agent on, and select the role you have just created.
The EC2 instance should immediately pick up the role, but you can check by querying the metadata service. You should be able to retrieve credentials, as below.
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
System1CloudWatchAgentRole
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/System1CloudWatchAgentRole
{
"Code" : "Success",
"LastUpdated" : "2021-01-13T09:29:39Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAYABNLTXMBAX4YQQV",
"SecretAccessKey" : "VoP6rvW2W7/us/WYm9WhSA2pF/N9cg3u+a0U5xKT",
"Token" : "IQoJb3JpZ2luX2VjEAoaCWV1LXdlc3QtMiJGMEQCIH4bEcXryBIVMKWmIz7g8mPdm5fN7BtMjMwMuzIOpapyAiBWCVY0idap2fsiev0NVtR4PsWKi98PSEOgNC8wjDfT8yq9AwjT//////////8BEAIaDDU0OTg1MDk0NzAzMiIMQzhqeBnnb5mSzZQDKpEDp27ezlrzO21qFmjZdw82mP5elFS5n4MkfY+bGNrbJGqSel9bcGSh75uec3MkuoScrbvc7dwRzEldXwxhKM/KvwbdHcBPmbwxiisRZZvZ/43tRRFwyEJIMvW5FXOlvd6ZTCljZJ2nvPRy+3KeJI2hqtLkmgj+Y0qvkOYXhQH7Mx2YyMcwudR1ox/6vEVn+X07Y/hofM+gCMF7/uHc0o8AVeAuClC3XXiIS0hGa4y9MNa5Je7xmK5AfC+v/5aOok1mSwO+GhnfL6F4pcXMfOZmj2odnLxHnF99IobhyuUf4p+lx21XdWWklJoHQHK2V8ifnkagyfPs1YACHmvNHIw5S+3IlN3cRwSu1iga6GH8LcSOsGgIt5Z911Nzm/rG7aH5+VhFrIBp7/tr3EotxellhQ+tdLHwJnFyxYQ9r2vC0pydp5x1NKN2Yz4uUiCiE0TGUCqUH3eMtfk0EfdHicX4xcVUD/3Jyd2SGBg42LHS3OnDo+auKpp3tjXNt6V2digHguRQzQMf/TnTnL35+GqgIkEwmfv6/wU67AFjP7mfNZqLV+GFG21VMiAZGa8cMGdPvje0Yfku78I/5ca2V6Fp1uo9G9OCrO3hy3znV16KvC4gdyh7raO32C6CU0uwxXesqIUnB+FwRopohnwIX+tot5auJcNFzQYfRAj1XSIJ0AgdXjv1FLFGr5E1iscN9bNAIcK9GU4CLu9thBgtIAZcjFSOTB9INjyglokc65F2fNpavm13WL+Iu6CjZw1X72m6AR1+8Gg7N7czgdwDyhNVxeNBIqNmr96XqLxIuNwpA3InjSgk5XlNCOgzbXoirEiIO2++pYDi6PQYb3A/2JpugN9rpuNacg==",
"Expiration" : "2021-01-13T16:05:01Z"
}sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.jsonsudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.jsonThis will return a result in JSON.
{
"status": "running",
"starttime": "2021-01-13T09:11:04+00:00",
"version": "1.247346.1b249759"
}The log is very helpful for checking that the agent is indeed working correctly.
tail -50f /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.logYou should start seeing the logs you have specified in the config.json in the CloudWatch Console GUI.