diff --git a/docs/integrations/amazon-aws/api-gateway.md b/docs/integrations/amazon-aws/api-gateway.md index 44ec92c5fe..889a610350 100644 --- a/docs/integrations/amazon-aws/api-gateway.md +++ b/docs/integrations/amazon-aws/api-gateway.md @@ -13,23 +13,26 @@ AWS API Gateway service allows you to create RESTful APIs, HTTP APIs, and WebSoc The Sumo Logic AWS API Gateway app provides insights into API Gateway tasks while accepting and processing concurrent API calls throughout your infrastructure, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management. -## Log and metrics types +## Log and metric types -The AWS API Gateway app uses the following logs and metrics: +The Sumo Logic app for AWS API Gateway uses the following logs and metrics: -* Amazon API Gateway metrics: - * [REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-metrics-and-dimensions.html) External link icon - * [HTTP APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html) External link icon - * [WebSocket APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-logging.html) External link icon -* [CloudTrail API Gateway Data Event](https://docs.aws.amazon.com/apigateway/latest/developerguide/cloudtrail.html) External link icon +* [Amazon API Gateway CloudTrail Logs](https://docs.aws.amazon.com/apigateway/latest/developerguide/cloudtrail.html) External link icon * Amazon API Gateway access logs: * [REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference) External link icon * [HTTP APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables.html) External link icon * [WebSocket APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-api-logging.html) External link icon +* Amazon API Gateway Metrics: + * [REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-metrics-and-dimensions.html) External link icon + * [HTTP APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html) External link icon + * [WebSocket APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-logging.html) External link icon ### Sample log messages -```json title="Sample CloudTrail Log Message" +
+Sample CloudTrail Log Message + +```json { "eventVersion":"1.05", "userIdentity":{ @@ -71,8 +74,12 @@ The AWS API Gateway app uses the following logs and metrics: "recipientAccountId":"123408221234" } ``` +
+ +
+Sample Access Log Message -```json title="Sample Access Log Message" +```json { "requestId": "bf04adbf-eacc-4601-8c14-94605f242e1a", "extendedRequestId": "Sca3bFUQgi0EYeA=", @@ -128,6 +135,7 @@ The AWS API Gateway app uses the following logs and metrics: "wafStatus": "200" } ``` +
### Sample queries @@ -164,20 +172,27 @@ account=dev region=us-east-1 namespace=aws/apigateway apiname=* apiid stage doma ### Configure Hosted Collector -In Sumo Logic, configure a [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector/). +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -### Collect metrics for AWS API Gateway +### Collect AWS API Gateway CloudWatch metrics -Sumo Logic supports collecting metrics using two source types: +Sumo Logic supports collecting metrics using one of the following source types: -* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**); or +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -:::note -Namespace for **AWS API Gateway** Service is **AWS/ApiGateway**. -::: + :::note + Namespace for **AWS API Gateway** service is **AWS/ApiGateway**. + ::: -For **Metadata**, add an **account** field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. This name will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability). Metrics can be queried via the “account” field. +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. #### Enable cache metrics @@ -226,9 +241,9 @@ Call the [UpdateStage](https://docs.aws.amazon.com/apigatewayv2/latest/api-refer aws apigatewayv2 update-stage --api-id 9pk1qlmpci --stage-name $default --default-route-settings "{\"DetailedMetricsEnabled\":true}" --output json --region eu-north-1 ``` -### Collect access logs for AWS API Gateway +### Collect AWS API Gateway Access logs -1. To your Hosted Collector, add an [AWS Kinesis Firehose for Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/). +1. Configure the [AWS Kinesis Firehose for Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#create-an-aws-kinesis-firehose-for-logssource). 1. **Name**. Enter a name to display the new Source. 2. **Description**. Enter an optional description. 3. **Enable S3 Replay**. Do not check this option. @@ -244,218 +259,241 @@ Call the [UpdateStage](https://docs.aws.amazon.com/apigatewayv2/latest/api-refer 11. Save the given URL of the source for next step. 2. [Create Stack](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#cloudformation-template) in AWS console with given CloudFormation Template. 3. Create a log group in CloudWatch Logs by referring to the [AWS documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html). Make sure to set your log group name convention as `/aws/apigateway//`. -4. Follow the below steps to enable access logs for each respective API type: +4. Follow the steps below to enable access logs for each respective API type: :::note - Make sure to remove `:*` from the end while adding Access log destination ARN. + Ensure to remove `:*` from the end while adding Access log destination ARN. ::: * Enable Access logs for REST APIs by referring to the [AWS documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-using-console). When you specify the `Log format` field, use the below JSON. AWS API Gateway - ```json title="JSON Log Format for REST API" - { - "accountId": "$context.accountId", - "requestId": "$context.requestId", - "authorizerClaimsProperty": "$context.authorizer.claims.property", - "extendedRequestId": "$context.extendedRequestId", - "identitySourceIp": "$context.identity.sourceIp", - "identityCaller": "$context.identity.caller", - "identityUser": "$context.identity.user", - "requestTime": "$context.requestTime", - "status": "$context.status", - "routeKey": "$context.routeKey", - "apiId": "$context.apiId", - "domainPrefix": "$context.domainPrefix", - "httpMethod": "$context.httpMethod", - "identityClientCertSerialNumber": "$context.identity.clientCert.serialNumber", - "identityUserAgent": "$context.identity.userAgent", - "path": "$context.path", - "protocol": "$context.protocol", - "resourceId": "$context.resourceId", - "responseOverrideStatus": "$context.responseOverride.status", - "authorizeError": "$context.authorize.error", - "resourcePath": "$context.resourcePath", - "authorizeLatency": "$context.authorize.latency", - "authorizeStatus": "$context.authorize.status", - "authorizerError": "$context.authorizer.error", - "authorizerIntegrationStatus": "$context.authorizer.integrationStatus", - "authorizerIntegrationLatency": "$context.authorizer.integrationLatency", - "authorizerLatency": "$context.authorizer.latency", - "authorizerPrincipalId": "$context.authorizer.principalId", - "authorizerRequestId": "$context.authorizer.requestId", - "authorizerStatus": "$context.authorizer.status", - "authenticateError": "$context.authenticate.error", - "authenticateLatency": "$context.authenticate.latency", - "authenticateStatus": "$context.authenticate.status", - "connectedAt": "$context.connectedAt", - "connectionId": "$context.connectionId", - "domainName": "$context.domainName", - "errorMessage": "$context.error.message", - "errorResponseType": "$context.error.responseType", - "errorValidationErrorString": "$context.error.validationErrorString", - "eventType": "$context.eventType", - "identityAccountId": "$context.identity.accountId", - "identityPrincipalOrgId": "$context.identity.principalOrgId", - "identityUserArn": "$context.identity.userArn", - "identityApiKey": "$context.identity.apiKey", - "identityApiKeyId": "$context.identity.apiKeyId", - "integrationError": "$context.integration.error", - "integrationIntegrationStatus": "$context.integration.integrationStatus", - "integrationLatency": "$context.integration.latency", - "integrationRequestId": "$context.integration.requestId", - "integrationStatus": "$context.integration.status", - "contextIntegrationLatency": "$context.integrationLatency", - "responseLatency": "$context.responseLatency", - "responseLength": "$context.responseLength", - "xrayTraceId": "$context.xrayTraceId", - "requestTimeEpoch": "$context.requestTimeEpoch", - "stage": "$context.stage", - "messageId": "$context.messageId", - "wafResponseCode": "$context.wafResponseCode", - "wafError": "$context.waf.error", - "wafLatency": "$context.waf.latency", - "wafStatus": "$context.waf.status", - "webaclArn": "$context.webaclArn" - } - ``` - +
+ JSON Log Format for REST API + + ```json + { + "accountId": "$context.accountId", + "requestId": "$context.requestId", + "authorizerClaimsProperty": "$context.authorizer.claims.property", + "extendedRequestId": "$context.extendedRequestId", + "identitySourceIp": "$context.identity.sourceIp", + "identityCaller": "$context.identity.caller", + "identityUser": "$context.identity.user", + "requestTime": "$context.requestTime", + "status": "$context.status", + "routeKey": "$context.routeKey", + "apiId": "$context.apiId", + "domainPrefix": "$context.domainPrefix", + "httpMethod": "$context.httpMethod", + "identityClientCertSerialNumber": "$context.identity.clientCert.serialNumber", + "identityUserAgent": "$context.identity.userAgent", + "path": "$context.path", + "protocol": "$context.protocol", + "resourceId": "$context.resourceId", + "responseOverrideStatus": "$context.responseOverride.status", + "authorizeError": "$context.authorize.error", + "resourcePath": "$context.resourcePath", + "authorizeLatency": "$context.authorize.latency", + "authorizeStatus": "$context.authorize.status", + "authorizerError": "$context.authorizer.error", + "authorizerIntegrationStatus": "$context.authorizer.integrationStatus", + "authorizerIntegrationLatency": "$context.authorizer.integrationLatency", + "authorizerLatency": "$context.authorizer.latency", + "authorizerPrincipalId": "$context.authorizer.principalId", + "authorizerRequestId": "$context.authorizer.requestId", + "authorizerStatus": "$context.authorizer.status", + "authenticateError": "$context.authenticate.error", + "authenticateLatency": "$context.authenticate.latency", + "authenticateStatus": "$context.authenticate.status", + "connectedAt": "$context.connectedAt", + "connectionId": "$context.connectionId", + "domainName": "$context.domainName", + "errorMessage": "$context.error.message", + "errorResponseType": "$context.error.responseType", + "errorValidationErrorString": "$context.error.validationErrorString", + "eventType": "$context.eventType", + "identityAccountId": "$context.identity.accountId", + "identityPrincipalOrgId": "$context.identity.principalOrgId", + "identityUserArn": "$context.identity.userArn", + "identityApiKey": "$context.identity.apiKey", + "identityApiKeyId": "$context.identity.apiKeyId", + "integrationError": "$context.integration.error", + "integrationIntegrationStatus": "$context.integration.integrationStatus", + "integrationLatency": "$context.integration.latency", + "integrationRequestId": "$context.integration.requestId", + "integrationStatus": "$context.integration.status", + "contextIntegrationLatency": "$context.integrationLatency", + "responseLatency": "$context.responseLatency", + "responseLength": "$context.responseLength", + "xrayTraceId": "$context.xrayTraceId", + "requestTimeEpoch": "$context.requestTimeEpoch", + "stage": "$context.stage", + "messageId": "$context.messageId", + "wafResponseCode": "$context.wafResponseCode", + "wafError": "$context.waf.error", + "wafLatency": "$context.waf.latency", + "wafStatus": "$context.waf.status", + "webaclArn": "$context.webaclArn" + } + ``` +
* Enable Access logs for HTTP APIs by referring to [AWS documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html#http-api-enable-logging) and when you specify the `Log format` field use the below JSON. AWS API Gateway - ```json title="JSON Log Format for HTTP API" - { - "requestId": "$context.requestId", - "extendedRequestId": "$context.extendedRequestId", - "identitySourceIp": "$context.identity.sourceIp", - "identityCaller": "$context.identity.caller", - "identityUser": "$context.identity.user", - "requestTime": "$context.requestTime", - "httpMethod": "$context.httpMethod", - "resourcePath": "$context.resourcePath", - "status": "$context.status", - "protocol": "$context.protocol", - "responseLength": "$context.responseLength", - "accountId": "$context.accountId", - "authorizerProperty": "$context.authorizer.property", - "routeKey": "$context.routeKey", - "responseLatency": "$context.responseLatency", - "integrationErrorMessage": "$context.integrationErrorMessage", - "apiId": "$context.apiId", - "authorizerClaimsProperty": "$context.authorizer.claims.property", - "authorizerError": "$context.authorizer.error", - "authorizerPrincipalId": "$context.authorizer.principalId", - "awsEndpointRequestId": "$context.awsEndpointRequestId", - "awsEndpointRequestId2": "$context.awsEndpointRequestId2", - "customDomainBasePathMatched": "$context.customDomain.basePathMatched", - "dataProcessed": "$context.dataProcessed", - "domainName": "$context.domainName", - "domainPrefix": "$context.domainPrefix", - "errorMessage": "$context.error.message", - "errorResponseType": "$context.error.responseType", - "identityAccountId": "$context.identity.accountId", - "identityCognitoAuthenticationProvider": "$context.identity.cognitoAuthenticationProvider", - "identityCognitoAuthenticationType": "$context.identity.cognitoAuthenticationType", - "identityCognitoIdentityId": "$context.identity.cognitoIdentityId", - "identityCognitoIdentityPoolId": "$context.identity.cognitoIdentityPoolId", - "identityPrincipalOrgId": "$context.identity.principalOrgId", - "identityClientCertClientCertPem": "$context.identity.clientCert.clientCertPem", - "identityClientCertSubjectDN": "$context.identity.clientCert.subjectDN", - "identityClientCertIssuerDN": "$context.identity.clientCert.issuerDN", - "identityClientCertSerialNumber": "$context.identity.clientCert.serialNumber", - "identityClientCertValidityNotBefore": "$context.identity.clientCert.validity.notBefore", - "identityClientCertValidityNotAfter": "$context.identity.clientCert.validity.notAfter", - "identityUserAgent": "$context.identity.userAgent", - "identityUserArn": "$context.identity.userArn", - "integrationError": "$context.integration.error", - "integrationIntegrationStatus": "$context.integration.integrationStatus", - "integrationLatency": "$context.integration.latency", - "integrationRequestId": "$context.integration.requestId", - "integrationStatus": "$context.integration.status", - "contextIntegrationLatency": "$context.integrationLatency", - "contextIntegrationStatus": "$context.integrationStatus", - "path": "$context.path", - "requestTimeEpoch": "$context.requestTimeEpoch", - "stage": "$context.stage" - } - ``` +
+ JSON Log Format for HTTP API + + ```json + { + "requestId": "$context.requestId", + "extendedRequestId": "$context.extendedRequestId", + "identitySourceIp": "$context.identity.sourceIp", + "identityCaller": "$context.identity.caller", + "identityUser": "$context.identity.user", + "requestTime": "$context.requestTime", + "httpMethod": "$context.httpMethod", + "resourcePath": "$context.resourcePath", + "status": "$context.status", + "protocol": "$context.protocol", + "responseLength": "$context.responseLength", + "accountId": "$context.accountId", + "authorizerProperty": "$context.authorizer.property", + "routeKey": "$context.routeKey", + "responseLatency": "$context.responseLatency", + "integrationErrorMessage": "$context.integrationErrorMessage", + "apiId": "$context.apiId", + "authorizerClaimsProperty": "$context.authorizer.claims.property", + "authorizerError": "$context.authorizer.error", + "authorizerPrincipalId": "$context.authorizer.principalId", + "awsEndpointRequestId": "$context.awsEndpointRequestId", + "awsEndpointRequestId2": "$context.awsEndpointRequestId2", + "customDomainBasePathMatched": "$context.customDomain.basePathMatched", + "dataProcessed": "$context.dataProcessed", + "domainName": "$context.domainName", + "domainPrefix": "$context.domainPrefix", + "errorMessage": "$context.error.message", + "errorResponseType": "$context.error.responseType", + "identityAccountId": "$context.identity.accountId", + "identityCognitoAuthenticationProvider": "$context.identity.cognitoAuthenticationProvider", + "identityCognitoAuthenticationType": "$context.identity.cognitoAuthenticationType", + "identityCognitoIdentityId": "$context.identity.cognitoIdentityId", + "identityCognitoIdentityPoolId": "$context.identity.cognitoIdentityPoolId", + "identityPrincipalOrgId": "$context.identity.principalOrgId", + "identityClientCertClientCertPem": "$context.identity.clientCert.clientCertPem", + "identityClientCertSubjectDN": "$context.identity.clientCert.subjectDN", + "identityClientCertIssuerDN": "$context.identity.clientCert.issuerDN", + "identityClientCertSerialNumber": "$context.identity.clientCert.serialNumber", + "identityClientCertValidityNotBefore": "$context.identity.clientCert.validity.notBefore", + "identityClientCertValidityNotAfter": "$context.identity.clientCert.validity.notAfter", + "identityUserAgent": "$context.identity.userAgent", + "identityUserArn": "$context.identity.userArn", + "integrationError": "$context.integration.error", + "integrationIntegrationStatus": "$context.integration.integrationStatus", + "integrationLatency": "$context.integration.latency", + "integrationRequestId": "$context.integration.requestId", + "integrationStatus": "$context.integration.status", + "contextIntegrationLatency": "$context.integrationLatency", + "contextIntegrationStatus": "$context.integrationStatus", + "path": "$context.path", + "requestTimeEpoch": "$context.requestTimeEpoch", + "stage": "$context.stage" + } + ``` +
* Enable Access logs for WebSocket APIs by referring to [AWS documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-using-console) and when you specify the `Log format` field use the below JSON. AWS API Gateway - ```json title="JSON Log Format for WebSocket API" - { - "apiId": "$context.apiId", - "authorizeError": "$context.authorize.error", - "authorizeLatency": "$context.authorize.latency", - "authorizeStatus": "$context.authorize.status", - "authorizerError": "$context.authorizer.error", - "authorizerIntegrationLatency": "$context.authorizer.integrationLatency", - "authorizerIntegrationStatus": "$context.authorizer.integrationStatus", - "authorizerLatency": "$context.authorizer.latency", - "authorizerRequestId": "$context.authorizer.requestId", - "authorizerStatus": "$context.authorizer.status", - "authorizerPrincipalId": "$context.authorizer.principalId", - "authorizerProperty": "$context.authorizer.property", - "authenticateError": "$context.authenticate.error", - "authenticateLatency": "$context.authenticate.latency", - "authenticateStatus": "$context.authenticate.status", - "connectedAt": "$context.connectedAt", - "connectionId": "$context.connectionId", - "domainName": "$context.domainName", - "errorMessage": "$context.error.message", - "errorResponseType": "$context.error.responseType", - "errorValidationErrorString": "$context.error.validationErrorString", - "eventType": "$context.eventType", - "extendedRequestId": "$context.extendedRequestId", - "identityAccountId": "$context.identity.accountId", - "identityApiKey": "$context.identity.apiKey", - "identityApiKeyId": "$context.identity.apiKeyId", - "identityCaller": "$context.identity.caller", - "identityCognitoAuthenticationProvider": "$context.identity.cognitoAuthenticationProvider", - "identityCognitoAuthenticationType": "$context.identity.cognitoAuthenticationType", - "identityCognitoIdentityId": "$context.identity.cognitoIdentityId", - "identityCognitoIdentityPoolId": "$context.identity.cognitoIdentityPoolId", - "identityPrincipalOrgId": "$context.identity.principalOrgId", - "identitySourceIp": "$context.identity.sourceIp", - "identityUser": "$context.identity.user", - "identityUserAgent": "$context.identity.userAgent", - "identityUserArn": "$context.identity.userArn", - "integrationError": "$context.integration.error", - "integrationIntegrationStatus": "$context.integration.integrationStatus", - "integrationLatency": "$context.integrationLatency", - "integrationRequestId": "$context.integration.requestId", - "integrationStatus": "$context.integration.status", - "messageId": "$context.messageId", - "requestId": "$context.requestId", - "requestTime": "$context.requestTime", - "requestTimeEpoch": "$context.requestTimeEpoch", - "routeKey": "$context.routeKey", - "stage": "$context.stage", - "status": "$context.status", - "wafError": "$context.waf.error", - "wafLatency": "$context.waf.latency", - "wafStatus": "$context.waf.status" - } - ``` +
+ JSON Log Format for WebSocket API + + ```json + { + "apiId": "$context.apiId", + "authorizeError": "$context.authorize.error", + "authorizeLatency": "$context.authorize.latency", + "authorizeStatus": "$context.authorize.status", + "authorizerError": "$context.authorizer.error", + "authorizerIntegrationLatency": "$context.authorizer.integrationLatency", + "authorizerIntegrationStatus": "$context.authorizer.integrationStatus", + "authorizerLatency": "$context.authorizer.latency", + "authorizerRequestId": "$context.authorizer.requestId", + "authorizerStatus": "$context.authorizer.status", + "authorizerPrincipalId": "$context.authorizer.principalId", + "authorizerProperty": "$context.authorizer.property", + "authenticateError": "$context.authenticate.error", + "authenticateLatency": "$context.authenticate.latency", + "authenticateStatus": "$context.authenticate.status", + "connectedAt": "$context.connectedAt", + "connectionId": "$context.connectionId", + "domainName": "$context.domainName", + "errorMessage": "$context.error.message", + "errorResponseType": "$context.error.responseType", + "errorValidationErrorString": "$context.error.validationErrorString", + "eventType": "$context.eventType", + "extendedRequestId": "$context.extendedRequestId", + "identityAccountId": "$context.identity.accountId", + "identityApiKey": "$context.identity.apiKey", + "identityApiKeyId": "$context.identity.apiKeyId", + "identityCaller": "$context.identity.caller", + "identityCognitoAuthenticationProvider": "$context.identity.cognitoAuthenticationProvider", + "identityCognitoAuthenticationType": "$context.identity.cognitoAuthenticationType", + "identityCognitoIdentityId": "$context.identity.cognitoIdentityId", + "identityCognitoIdentityPoolId": "$context.identity.cognitoIdentityPoolId", + "identityPrincipalOrgId": "$context.identity.principalOrgId", + "identitySourceIp": "$context.identity.sourceIp", + "identityUser": "$context.identity.user", + "identityUserAgent": "$context.identity.userAgent", + "identityUserArn": "$context.identity.userArn", + "integrationError": "$context.integration.error", + "integrationIntegrationStatus": "$context.integration.integrationStatus", + "integrationLatency": "$context.integrationLatency", + "integrationRequestId": "$context.integration.requestId", + "integrationStatus": "$context.integration.status", + "messageId": "$context.messageId", + "requestId": "$context.requestId", + "requestTime": "$context.requestTime", + "requestTimeEpoch": "$context.requestTimeEpoch", + "routeKey": "$context.routeKey", + "stage": "$context.stage", + "status": "$context.status", + "wafError": "$context.waf.error", + "wafLatency": "$context.waf.latency", + "wafStatus": "$context.waf.status" + } + ``` +
5. To Export logs, refer to [Manually subscribe AWS Kinesis Firehose stream to an existing CloudWatch Log Group](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#manually-subscribeaws-kinesis-firehose-stream-to-an-existing-cloudwatch-log-group). ### Collect AWS API Gateway CloudTrail logs -To your Hosted Collector, add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md) using the instructions below. - -#### Collect CloudTrail Lambda data events +:::note +CloudTrail data events will be collected under this source. +::: -To configure a CloudTrail Source, perform these steps: +#### Prerequisites 1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. 2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). For more information on what events are logged, refer to the [API Gateway API calls documentation](https://docs.aws.amazon.com/apigateway/latest/developerguide/cloudtrail.html). 3. Confirm that logs are being delivered to the Amazon S3 bucket. -4. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md) to Sumo Logic. While configuring the source, add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. This name will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability). Logs can be queried via the `account` field. - Fields +:::note +Namespace for **AWS API Gateway** service is **AWS/ApiGateway**. +::: + +Follow the steps below to collect logs for AWS API Gateway: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. ### Centralized AWS CloudTrail log collection @@ -470,7 +508,7 @@ _sourceCategory=aws/observability/cloudtrail/logs #### Parse Expression -Enter a parse expression to create an `account` field that maps to the alias you set for each sub account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like this: +Enter a parse expression to create an `account` field that maps to the alias you set for each sub account. For example, if you used the `dev` alias for an AWS account with ID `528560886094` and the `prod` alias for an AWS account with ID `567680881046`, your parse expression would look like this: ```sumo | json "recipientAccountId" @@ -489,7 +527,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -498,7 +538,7 @@ As part of the app installation process, the following fields will be created by - `apiname` API Gateway API name. - `apiid` API Gateway API id. -### Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityAPIGatewayCloudTrailLogsFER** to extract fields `accountid`, `namespace`, `region`, and `apiname` from CloudTrail logs will be created as a part of app installation. @@ -506,7 +546,7 @@ The FER **AwsObservabilityAPIGatewayAccessLogsFER** to extract fields `namespace The FER **AwsObservabilityAPIGatewayCloudWatchLogsFER** to extract fields `namespace`, `apiid`, and `apiname` from CloudWatch logs will be created as a part of app installation. -### Metric Rule(s) +#### Metric Rule(s) The Metric Rule **AwsObservabilityAPIGatewayMetricsRule** for the AWS/ApiGateway namespace will be created as a part of app installation. @@ -546,7 +586,7 @@ Use these dashboards to: ### Access Logs Access logs contains information about who has accessed your API and how the caller accessed the API. -To populate the dashboards, you must explicitly [enable access logs](#collect-access-logs-for-aws-api-gateway). +To populate the dashboards, you must explicitly [enable access logs](#collect-aws-api-gateway-access-logs). #### AWS API Gateway - Access Logs - Overview diff --git a/docs/integrations/amazon-aws/application-load-balancer.md b/docs/integrations/amazon-aws/application-load-balancer.md index b69b77c74b..0aebc2561f 100644 --- a/docs/integrations/amazon-aws/application-load-balancer.md +++ b/docs/integrations/amazon-aws/application-load-balancer.md @@ -13,30 +13,27 @@ The AWS Application Load Balancer functions at the application layer, receives r The Sumo Logic app for AWS Application Load Balancing uses logs and metrics to give you visibility into the health of your Application Load Balancer and target groups. Use the pre-configured dashboards to understand the latency, request and host status, threat intel, and HTTP backend codes by availability zone and target group. -## Log types - -This app uses: -* The metrics are included in the AWS/Application ELB namespace. For more details, see [here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/elb-metricscollected.html#load-balancer-metrics-alb). -* The [Application Load Balancer Access](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging) Log introduces two new fields in addition to the fields contained in the Classic ELB Access log: - * `Type`. This is the type of request or connection (HTTP, HTTPS, H2, ws, wss). - * `target_group_arn`. This is the Amazon Resource Name (ARN) of the target group. -* The logs are stored in a .gzip format in the specified S3 bucket and contain these fields in this order: -```bash -timestamp, elb, client:port, target:port, \ -request_processing_time, target_processing_time, \ -response_processing_time, elb_status_code, \ -target_status_code, received_bytes, sent_bytes, \ -request, user_agent, ssl_cipher, ssl_protocol, \ -target_group_arn, trace_id -``` - -The log format is described in [AWS Application Load Balancer Access Log Collection](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html). For details on AWS Application Load Balancing metrics, see [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html). - -## Metrics Type - -For details on the metrics of AWS Application Load Balancing, see [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html). - -### Sample log message +## Log and metric types + +The Sumo Logic app for AWS Application Load Balancer uses the following logs and metrics: +* [AWS Application Load Balancer CloudTrail Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/cloudtrail-logs.html) +* The [Application Load Balancer Access Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging) introduces two new fields in addition to the fields contained in the Classic ELB Access log: + * `Type`. This is the type of request or connection (HTTP, HTTPS, H2, ws, wss). + * `target_group_arn`. This is the Amazon Resource Name (ARN) of the target group. +The logs are stored in a .gzip format in the specified S3 bucket and contain these fields in this order: + ```bash + timestamp, elb, client:port, target:port, \ + request_processing_time, target_processing_time, \ + response_processing_time, elb_status_code, \ + target_status_code, received_bytes, sent_bytes, \ + request, user_agent, ssl_cipher, ssl_protocol, \ + target_group_arn, trace_id + ``` + The log format is described in [AWS Application Load Balancer Access Log Collection](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html). +* [AWS Application Load Balancer CloudWatch Metrics](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html). +The metrics are included in the AWS/Application ELB namespace. For more details, see [here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/elb-metricscollected.html#load-balancer-metrics-alb). + +### Sample log messages ```json https 2017-11-20T22:05:36 long-bill-lb 77.222.19.149:41148 10.168.203.134:23662 0.000201 0.401924 0.772005 500 200 262 455 "GET https://elmagek.no-ip.org:443/json/v1/collector/histogram/100105037?startTimestamp=1405571270000&endTimestamp=1405574870000&bucketCount=60&_=1405574870206 HTTP/1.1" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4" DH-RSA-AES256-GCM-SHA384 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:104030218370:targetgroup/Prod-frontend/92e3199b1rc814fe9 "Root=1-58337364-23a8c76965a2ef7629b185e134" @@ -63,21 +60,33 @@ account="account" region="region" namespace="AWS/ApplicationELB" account="account" region="region" Namespace="AWS/ApplicationELB" loadbalancer="loadbalancer" AvailabilityZone=* TargetGroup=* metric=HTTPCode_Target_5XX_Count Statistic=Sum | parse field= TargetGroup */* as Unused, TargetGroup | sum by account, region, namespace, loadbalancer, TargetGroup, AvailabilityZone ``` -## Collecting logs and metrics for the AWS Application Load Balancer -When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector). +## Collecting logs and metrics for AWS Application Load Balancer + +### Configure Hosted Collector + +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). + +### Collect AWS Application Load Balancer CloudWatch metrics + +Sumo Logic supports collecting metrics using one of the following source types: + +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -### Collect metrics + :::note + Namespace for **AWS Application Load Balancer** service is **AWS/ApplicationELB**. + ::: -1. Sumo Logic supports collecting metrics using two source types: - * Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (recommended); or - * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.
Metadata - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -### Collect access logs +### Collect AWS Application Load Balancer Access logs #### Prerequisites @@ -86,30 +95,64 @@ Before you begin to use the AWS Elastic Load Balancing (ELB) Application app, co 2. [Enable Application Load Balancer logging](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging) in AWS. 3. Confirm that logs are being delivered to the Amazon S3 bucket. -#### Collecting access Logs for AWS Application Load Balancer +Follow the steps below to collect access logs for AWS Application Load Balancer: +1. Configure the [Access Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-sources/#create-an-aws-source). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -1. Configure a Application Load Balancing (ALB) [Access Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-sources/#create-an-aws-source). -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. The following **Fields** are to be added in the source: - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - 1. Add a **region** field and assign it the value of respective AWS region where the Load Balancer exists. - 1. Add an **accountId** field and assign it the value of the respective AWS account id which is being used. - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +### Collect AWS Application Load Balancer CloudTrail logs -### Collect Cloudtrail logs +#### Prerequisites -1. Configure a Application Load Balancing (ALB) [Cloudtrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [Fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +3. Confirm that logs are being delivered to the Amazon S3 bucket. :::note -Namespace for AWS Application Load Balancer Service is AWS/ApplicationELB. +Namespace for **AWS Application Load Balancer** service is **AWS/ApplicationELB**. ::: +Follow the steps below to collect logs for AWS Application Load Balancer: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Centralized AWS CloudTrail log collection + +In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following field extraction rule to map proper AWS account(s) friendly name/alias. You'll need to create it if not already present or update it as required. + +```sumo +Rule Name: AWS Accounts +Applied at: Ingest Time +Scope (Specific Data): +_sourceCategory=aws/observability/cloudtrail/logs +``` + +#### Parse Expression + +Enter a parse expression to create an `account` field that maps to the alias you set for each sub account. For example, if you used the `dev` alias for an AWS account with ID `528560886094` and the `prod` alias for an AWS account with ID `567680881046`, your parse expression would look like this: + +```sumo +| json "recipientAccountId" +// Manually map your aws account id with the AWS account alias you setup earlier for individual child account +| "" as account +| if (recipientAccountId = "528560886094", "dev", account) as account +| if (recipientAccountId = "567680881046", "prod", account) as account +| fields account +``` + ## Installing the AWS Application Load Balancer app Now that you have set up collection for AWS Application Load Balancer, install the Sumo Logic App to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. @@ -118,7 +161,9 @@ import AppInstall from '../../reuse/apps/app-install-index-apps-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -126,7 +171,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for AWS Application Load Balancer Service is AWS/ApplicationELB. - `loadbalancer` Application Load Balancer name. -## Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityALBAccessLogsFER** to extract fields `loadbalancer` and `namespace` from access logs will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/classic-load-balancer.md b/docs/integrations/amazon-aws/classic-load-balancer.md index 5f1d269a9a..a0668225f8 100644 --- a/docs/integrations/amazon-aws/classic-load-balancer.md +++ b/docs/integrations/amazon-aws/classic-load-balancer.md @@ -15,28 +15,28 @@ The Sumo Logic app for AWS Elastic Load Balancer Classic is a unified logs and m ## Log and metric types -ELB logs are stored as *.log files in the buckets you specify when you enable logging. The process to enable collection for these logs is described in [AWS ELB Enable Access Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html). +The Sumo Logic app for AWS Classic Load Balancer uses the following logs and metrics: +* [AWS Classic Load Balancer CloudTrail Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/cloudtrail-logs.html) +* [Classic Load Balancer Access Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html). ELB logs are stored as *.log files in the buckets you specify when you enable logging. The process to enable collection for these logs is described in [AWS ELB Enable Access Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html). -The logs themselves contain these fields in this order: -```bash -datetime, ELB_Server, clientIP, port, backend, backend_port, requestProc, ba_Response, cli_Response, ELB_StatusCode, be_StatusCode, rcvd, send, method, protocol, domain, server_port, path -``` - -The log format is described in [AWS ELB Access Log Collection](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html). + The logs themselves contain these fields in this order: + ```bash + datetime, ELB_Server, clientIP, port, backend, backend_port, requestProc, ba_Response, cli_Response, ELB_StatusCode, be_StatusCode, rcvd, send, method, protocol, domain, server_port, path + ``` -For details on AWS Classic Load Balancer metrics, see [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html). + The log format is described in [AWS ELB Access Log Collection](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html). +* [AWS Classic Load Balancer CloudWatch Metrics](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html) -### Sample access log message +### Sample log messages -```json +```json title="Sample CloudTrail Log Message" 2017-11-06T23:20:38 stag-www-lb 250.38.201.246:56658 10.168.203.134:23662 0.007731 0.214433 0.000261 404 200 3194 123279 \ "GET https://stag-www.sumologic.net:443/json/v2/searchquery/3E7959EC4BA8AAC5/messages/raw?offset=29&length=15&highlight=true&_=1405591692470 HTTP/1.1" \ "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0" \ ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 ``` - ### Sample queries ```sumo title="Response Codes Distribution by Domain and URI (Access Log Based)" @@ -63,55 +63,98 @@ loadbalancername={{loadbalancername}} metric=HTTPCode_ELB_4XX \ Statistic=Sum | sum by account, region, namespace, loadbalancername ``` -## Collecting logs and metrics for the AWS Classic Load Balancer +## Collecting logs and metrics for AWS Classic Load Balancer + +### Configure Hosted Collector When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -### Collect metrics +### Collect AWS Classic Load Balancer CloudWatch metrics -1. Sumo Logic supports collecting metrics using two source types: - * Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (recommended); or - * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.
Metadata - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +Sumo Logic supports collecting metrics using one of the following source types: -### Collect access logs +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -#### Prerequisites + :::note + Namespace for **AWS Classic Load Balancer** service is **AWS/ELB**. + ::: -Before you can begin to use the AWS Classic Load Balancing (ELB) App, complete the following steps: +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. +### Collect AWS Classic Load Balancer Access logs + +#### Prerequisites + +Before you begin to use the AWS Elastic Load Balancing (ELB) Application app, complete the following steps: 1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. 2. [Enable Application Load Balancer logging](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging) in AWS. 3. Confirm that logs are being delivered to the Amazon S3 bucket. -#### Collecting access logs for AWS Classic Load Balancer +Follow the steps below to collect access logs for AWS Classic Load Balancer: +1. Configure the [Access Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-sources/#create-an-aws-source). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -1. Configure a Classic Load Balancing (CLB) [Access Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-sources/#create-an-aws-source). -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. The following **Fields** are to be added in the source: - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - 1. Add a **region** field and assign it the value of respective AWS region where the Load Balancer exists. - 1. Add an **accountId** field and assign it the value of the respective AWS account id which is being used. - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. -### Collect Cloudtrail logs +### Collect AWS Classic Load Balancer CloudTrail logs -1. Configure a Classic Load Balancing (CLB) [Cloudtrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +3. Confirm that logs are being delivered to the Amazon S3 bucket. :::note -Namespace for **AWS Classic Load Balancer** Service is **AWS/ELB**. +Namespace for **AWS Classic Load Balancer** service is **AWS/ELB**. ::: +Follow the steps below to collect logs for AWS Classic Load Balancer: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Centralized AWS CloudTrail log collection + +In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following field extraction rule to map proper AWS account(s) friendly name/alias. You'll need to create it if not already present or update it as required. + +```sumo +Rule Name: AWS Accounts +Applied at: Ingest Time +Scope (Specific Data): +_sourceCategory=aws/observability/cloudtrail/logs +``` + +#### Parse Expression + +Enter a parse expression to create an `account` field that maps to the alias you set for each sub account. For example, if you used the `dev` alias for an AWS account with ID `528560886094` and the `prod` alias for an AWS account with ID `567680881046`, your parse expression would look like this: + +```sumo +| json "recipientAccountId" +// Manually map your aws account id with the AWS account alias you setup earlier for individual child account +| "" as account +| if (recipientAccountId = "528560886094", "dev", account) as account +| if (recipientAccountId = "567680881046", "prod", account) as account +| fields account +``` + ## Installing the AWS Classic Load Balancer app Now that you have set up a collection for AWS Classic Load Balancer, install the Sumo Logic app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. @@ -120,7 +163,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -128,7 +173,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for AWS Classic Load Balancer Service is AWS/ELB. - `loadbalancername` Classic Load Balancer name. -## Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityCLBAccessLogsFER** to extract fields `loadbalancername` and `namespace` from access logs will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/dynamodb.md b/docs/integrations/amazon-aws/dynamodb.md index f2df1da192..0bf51fdb5d 100644 --- a/docs/integrations/amazon-aws/dynamodb.md +++ b/docs/integrations/amazon-aws/dynamodb.md @@ -14,52 +14,53 @@ Amazon DynamoDB is a fast and flexible NoSQL database service that provides cons The Sumo app for Amazon DynamoDB uses both logs and metrics to is a unified logs and metrics app that provides operational insights into your DynamoDB. The app includes Dashboards that allow you to monitor key metrics, view the throttle events, errors, and latency, and also help you plan the capacity of your DynamoDB instances. -## Collect Logs and Metrics for the Amazon DynamoDB app +## Log and metric types -### Log and metric types +The Sumo Logic app for AWS DynamoDB uses the following logs and metrics: +* [Amazon DynamoDB CloudTrail Logs](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html) +* [Amazon DynamoDB CloudWatch Metrics](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/metrics-dimensions.html) -The AWS DynamoDB app uses the following logs and metrics: +### Sample log messages -* [DynamoDB CloudWatch Metrics](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/metrics-dimensions.html) -* [DynamoDB operations using AWS CloudTrail](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html) - -### Sample CloudTrail log message +
+Sample CloudTrail Log Message ```json -{ - "eventVersion":"1.05", - "userIdentity":{ - "type":"IAMUser", - "principalId":"AIDAIBF5TU7HNYUE7V676", - "arn":"arn:aws:iam::568388783903:user/ankit", - "accountId":"568388783903", - "accessKeyId":"ASIAI3Q5RU4FIZFHFJZA", - "userName":"ankit", - "sessionContext":{ - "attributes":{ - "mfaAuthenticated":"false", - "creationDate":"2017-10-10T23:01:45+0000" - } - }, - "invokedBy":"signin.amazonaws.com" - }, - "eventTime":"2017-10-10T23:01:45+0000", - "eventSource":"dynamodb.amazonaws.com", - "eventName":"DescribeTable", - "awsRegion":"us-east-1", - "sourceIPAddress":"38.99.50.98", - "userAgent":"signin.amazonaws.com", - "requestParameters":{ - "tableName":"users3" - }, - "responseElements":null, - "requestID":"AIFQQ1I27ASKDSAQ4L9L4DTQPVVV4KQNSO5AEMVJF66Q9ASUAAJG", - "eventID":"f2bec08c-a56a-4f04-be92-0cac7aaabe9b", - "eventType":"AwsApiCall", - "apiVersion":"2012-08-10", - "recipientAccountId":"568388783903" -} + { + "eventVersion":"1.05", + "userIdentity":{ + "type":"IAMUser", + "principalId":"AIDAIBF5TU7HNYUE7V676", + "arn":"arn:aws:iam::568388783903:user/ankit", + "accountId":"568388783903", + "accessKeyId":"ASIAI3Q5RU4FIZFHFJZA", + "userName":"ankit", + "sessionContext":{ + "attributes":{ + "mfaAuthenticated":"false", + "creationDate":"2017-10-10T23:01:45+0000" + } + }, + "invokedBy":"signin.amazonaws.com" + }, + "eventTime":"2017-10-10T23:01:45+0000", + "eventSource":"dynamodb.amazonaws.com", + "eventName":"DescribeTable", + "awsRegion":"us-east-1", + "sourceIPAddress":"38.99.50.98", + "userAgent":"signin.amazonaws.com", + "requestParameters":{ + "tableName":"users3" + }, + "responseElements":null, + "requestID":"AIFQQ1I27ASKDSAQ4L9L4DTQPVVV4KQNSO5AEMVJF66Q9ASUAAJG", + "eventID":"f2bec08c-a56a-4f04-be92-0cac7aaabe9b", + "eventType":"AwsApiCall", + "apiVersion":"2012-08-10", + "recipientAccountId":"568388783903" + } ``` +
### Sample queries @@ -78,37 +79,54 @@ account=dev namespace=aws/dynamodb region=us-east-1 "\"eventSource\":\"dynamodb. | limit 20 ``` -### Collect Metrics for Amazon DynamoDB - -Sumo Logic supports collecting metrics using two source types: -* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (Recommended); or -* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) - -Namespace for **Amazon DynamoDB** Service is **AWS/DynamoDB**. +## Collect logs and metrics for Amazon DynamoDB -* **Metadata**. Add an **account** field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. Metrics can be queried via the “account field”. +### Configure Hosted Collector +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -### Collect Amazon DynamoDB CloudTrail Logs +### Collect Amazon DynamoDB CloudWatch metrics -1. To your Hosted Collector, add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md). - * **Name**. Enter a name to display the new Source. - * **Description**. Enter an optional description. - * **S3 Region**. Select the Amazon Region for your **Amazon DynamoDB** S3 bucket. - * **Bucket Name**. Enter the exact name of your **Amazon DynamoDB** S3 bucket. - * **Path Expression**. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (`*`) in this string. (DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions).) The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression - * **Source Category**. Enter `aws/observability/cloudtrail/logs` - * **Fields**. Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - * **Access Key ID and Secret Access Key**. Enter your Amazon [Access Key ID and Secret Access Key](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html). Learn how to use Role-based access to AWS [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources) - * **Log File Discovery -> Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency. Sumo Logic will scan your S3 bucket for new data. Learn how to configure **Log File Discovery** [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). - * **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. - * **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. - * **Timestamp Format.** Select **Automatically detect the format**. - * **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -2. Click **Save**. +Sumo Logic supports collecting metrics using one of the following source types: +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -### Centralized AWS CloudTrail Log Collection + :::note + Namespace for **Amazon DynamoDB** service is **AWS/DynamoDB**. + ::: + +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Collect Amazon DynamoDB CloudTrail logs + +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +3. Confirm that logs are being delivered to the Amazon S3 bucket. + +:::note +Namespace for **Amazon DynamoDB** service is **AWS/DynamoDB**. +::: + +Follow the steps below to collect logs for Amazon DynamoDB: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Centralized AWS CloudTrail log collection In case you have a centralized collection of CloudTraillogs and are ingesting them from all accounts into a single Sumo Logic CloudTraillog source, create following Field Extraction Rule to map proper AWS account(s) friendly name/alias. Create it if not already present / update it as required. ```sql @@ -118,7 +136,7 @@ Scope (Specific Data): _sourceCategory=aws/observability/cloudtrail/logs ``` -**Parse Expression** +#### Parse Expression Enter a parse expression to create an “account” field that maps to the alias you set for each sub-account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like this: ```sumo @@ -138,7 +156,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -146,7 +166,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for Amazon DynamoDB Service is AWS/DynamoDB. - `tablename` DynamoDB table name. -### Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityDynamoDBCloudTrailLogsFER** to extract fields `region`, `namespace`, `tablename`, and `accountid` will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/ec2-cloudwatch-metrics.md b/docs/integrations/amazon-aws/ec2-cloudwatch-metrics.md index 194dd5d266..fbd4c42346 100644 --- a/docs/integrations/amazon-aws/ec2-cloudwatch-metrics.md +++ b/docs/integrations/amazon-aws/ec2-cloudwatch-metrics.md @@ -13,17 +13,18 @@ Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity i The Sumo Logic app for AWS EC2 allows you to collect your EC2 instance metrics and display them using predefined dashboards. The app provides dashboards to display analysis of EC2 instance metrics for CPU, disk, network, EBS, Health Status Check, and EC2 CloudTrail Events. Also, it provides detailed insights into all CloudTrail audit events associated with EC2 instances and specifically helps identify changes, errors, and user activities. -## Collecting CloudWatch Metrics and CloudTrail logs for AWS EC2 +## Log and metric types -This section describes the AWS EC2 app's data sources and instructions for setting up a metric collection. - -### Metrics types - -For details on the metrics of AWS EC2, see [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html). +The Sumo Logic app for AWS EC2 CloudWatch Metrics uses the following metrics: +* [Amazon CloudWatch Metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html) +* [Amazon CloudTrail Logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html#logging-data-events) ### Sample log messages -```json title="Sample CloudTrail Log" +
+Sample CloudTrail Log + +```json { "eventVersion":"1.08", "userIdentity":{ @@ -68,6 +69,7 @@ For details on the metrics of AWS EC2, see [here](https://docs.aws.amazon.com/AW } } ``` +
### Sample queries @@ -101,56 +103,62 @@ account={{account}} region={{region}} namespace={{namespace}} eventname eventsou | count as count by error_code | sort by count, error_code asc | limit 10 ``` +## Collecting logs and metrics for AWS EC2 -### AWS EC2 CloudWatch Metrics +### Configure Hosted Collector -AWS EC2 automatically monitors functions on your behalf, reporting [AWS EC2 metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html) through Amazon CloudWatch. These metrics are collected by our Hosted Collector by configuring the Amazon CloudWatch source. +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -The Sumo Logic app for AWS EC2 (CloudWatch Metrics) allows you to collect your EC2 instance metrics and display them using predefined dashboards. The app provides dashboards to analyze EC2 instance metrics for CPU, disk, network, EBS, and Health Status Check. +### Collect AWS EC2 CloudWatch metrics +Sumo Logic supports collecting metrics using one of the following source types: -### CloudTrail EC2 Data Events +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -[CloudTrail EC2 Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html#logging-data-events) allow you to continuously monitor the execution activity of your EC2 instance and record details of all the related events. + :::note + Namespace for **Amazon EC2** service is **AWS/EC2**. + ::: +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -### Collect Amazon CloudWatch EC2 Metrics +AWS EC2 automatically monitors functions on your behalf, reporting [AWS EC2 metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html) through Amazon CloudWatch. These metrics are collected by our Hosted Collector by configuring the Amazon CloudWatch source. -Sumo Logic supports collecting metrics using two source types: -* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) **(recommended)** or -* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -:::note -Namespace for **Amazon EC2** Service is **AWS/EC2**. -::: +The Sumo Logic app for AWS EC2 (CloudWatch Metrics) allows you to collect your EC2 instance metrics and display them using predefined dashboards. The app provides dashboards to analyze EC2 instance metrics for CPU, disk, network, EBS, and Health Status Check. -* **Metadata**: Add an **account** field to the source and assign it a value which is a friendly name / alias to your AWS account from which you are collecting metrics. Metrics can be queried through the **account** field. -Metadata +### Collect AWS EC2 CloudTrail logs -### Collect CloudTrail EC2 Data Events +:::note +CloudTrail data events will be collected under this source. +::: -To configure a CloudTrail Source, perform these steps: +#### Prerequisites 1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. -2. [Configure DataEvents with CloudTrail](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/using-cloudtrail.html) in your AWS account. +2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). 3. Confirm that logs are being delivered to the Amazon S3 bucket. -4. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source) to Sumo Logic. - 1. **Name**. Enter a name to display the new Source. - 2. **Description**. You may skip the description as it's optional. - 3. **S3 Region**. Select the Amazon Region for your API Gateway S3 bucket. - 4. **Bucket Name**. Enter the exact name of your API Gateway S3 bucket. - 5. **Path Expression**. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard `*` in this string. - :::note - DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions). The S3 bucket name is not part of the path. Don’t include the S3 bucket name when you are setting the Path Expression. - ::: -5. **Source Category**. Enter `aws/observability/cloud trail/logs`. -6. **Fields**. Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried through the **account** field.
Fields -7. **Access Key ID and Secret Access Key**. Enter your [Access Key ID and Secret Access Key](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html). Learn how to use Role-based access to AWS [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). -8. **Log File Discovery -> Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency. Sumo Logic will scan your S3 bucket for new data. Learn how to configure Log File Discovery [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). -9. **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. -10. **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. -11. **Timestamp Format.** Select **Automatically detect the format**. -12. **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -13. Click **Save**. + +:::note +Namespace for **Amazon EC2** service is **AWS/EC2**. +::: + +Follow the steps below to collect logs for AWS API Gateway: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. ### Centralized AWS CloudTrail log collection @@ -162,8 +170,7 @@ Applied at: Ingest Time Scope (Specific Data): _sourceCategory= ``` - -**Parse Expression** +#### Parse Expression Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like: @@ -176,17 +183,17 @@ Enter a parse expression to create an “account” field that maps to the alias | fields account ``` - ## Installing the AWS EC2 app Now that you have set up collection for AWS EC2 metrics install the Sumo Logic app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. - import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name/alias to the AWS account. - `accountid` AWS account ID. @@ -194,7 +201,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for EC2 CW Metrics Service. - `instanceid` EC2 Instance Id. -### Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityEC2CloudTrailLogsFER** to extract fields `region`, `namespace`, `accountid`, and `instanceid` will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/ec2-host-metrics.md b/docs/integrations/amazon-aws/ec2-host-metrics.md index 40da95a812..de4bd18c7d 100644 --- a/docs/integrations/amazon-aws/ec2-host-metrics.md +++ b/docs/integrations/amazon-aws/ec2-host-metrics.md @@ -13,38 +13,26 @@ Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity i The Sumo Logic App for Host Metrics (EC2) allows you to collect your EC2 instance metrics and display them using predefined dashboards. The App provides dashboards to display analysis of EC2 instance metrics for CPU, memory, disk, network, and TCP. Also, it provides detailed insights into all CloudTrail audit events associated with EC2 instances and specifically helps identify changes, errors, and user activities. +## Log and metric types -## Metrics Types - -Host metrics are gathered by the open-source [SIGAR library](https://github.com/hyperic/sigar). The metrics that are collected are described in [Host Metrics for Installed Collectors](/docs/send-data/installed-collectors/sources/host-metrics-source#collected-metrics). - +The Sumo Logic app for AWS EC2 Host Metrics uses the following metrics: * [CPU Metrics](/docs/integrations/hosts-operating-systems/host-metrics#cpu-metrics) * [Memory Metrics](/docs/integrations/hosts-operating-systems/host-metrics#memory-metrics) * [TCP Metrics](/docs/integrations/hosts-operating-systems/host-metrics#tcp-metrics) * [Networking Metrics](/docs/integrations/hosts-operating-systems/host-metrics#networking-metrics) * [Disk Metrics](/docs/integrations/hosts-operating-systems/host-metrics#disk-metrics) - ### Sample queries ```sql title="Average CPU Utilization" _sourceCategory=Labs/AWS/Host/Metrics metric=CPU_Total account=* region=* namespace=aws/ec2 instanceid=* | avg ``` +## Collecting metrics for AWS EC2 Host Metrics -## Collecting Metrics for the Host Metrics (EC2) App - -The Host Metrics (EC2) app relies upon an Installed Collector with a [Host Metrics Source](/docs/send-data/installed-collectors/sources/host-metrics-source) on each of your AWS EC2 hosts. This page describes the data sources for the Host Metrics (EC2) app and has instructions for setting up metric collection. - - -### Field in Field Schema - -1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the `instanceid` field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields#manage-fields). - -Fields Schema +Host metrics are gathered by the open-source [SIGAR library](https://github.com/hyperic/sigar). The metrics that are collected are described in [Host Metrics for Installed Collectors](/docs/send-data/installed-collectors/sources/host-metrics-source#collected-metrics). +The Host Metrics (EC2) app relies upon an Installed Collector with a [Host Metrics Source](/docs/send-data/installed-collectors/sources/host-metrics-source) on each of your AWS EC2 hosts. This section describes the data sources for the Host Metrics (EC2) app and has instructions for setting up metric collection. ### Configure Host Metrics sources @@ -59,7 +47,7 @@ Perform these steps for each EC2 host: * Add a field named **account**, and set it to your AWS account alias. * Add a field named **namespace** and set it to **aws/ec2**. -Configure metadata +Configure metadata 3. Set the **Scan Interval** (the frequency at which the Source is scanned) to 1 minute. @@ -67,6 +55,8 @@ A default Scan Interval of 1 minute is recommended. You can set it to a higher o You can also build your EC2 AMI machine image with these fields and settings. For instructions, see [this blog](https://www.sumologic.com/blog/packer-and-sumo-logic). Here’s a sample sources.json file that you can include in your AMI. +
+Click to expand ```json { @@ -110,13 +100,12 @@ You can also build your EC2 AMI machine image with these fields and settings. Fo } } ``` +
- -### AWS Metadata +#### AWS metadata Collectors running on AWS EC2 instances can optionally collect AWS Metadata such as EC2 tags to make it easier to search for Host Metrics. Only one AWS Metadata Source for Metrics is required to collect EC2 tags from multiple hosts. For more information, see [AWS Metadata Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/aws-metadata-tag-source). - ## Install the Host Metrics (EC2) App Now that you have set up the collection for Host Metrics (EC2) metrics, install the Sumo Logic App to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. @@ -125,7 +114,13 @@ import AppInstall from '../../reuse/apps/app-install.md'; -## Viewing EC2 Host Metrics Dashboards +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields + +- `accountid` AWS account id. + +## Viewing EC2 Host Metrics dashboards ### AWS EC2 - Overview (Host OS Metrics) diff --git a/docs/integrations/amazon-aws/elastic-container-service.md b/docs/integrations/amazon-aws/elastic-container-service.md index d1388c65aa..a7b07f3dcc 100644 --- a/docs/integrations/amazon-aws/elastic-container-service.md +++ b/docs/integrations/amazon-aws/elastic-container-service.md @@ -15,9 +15,13 @@ We offer two different ECS versions, which have separate data collection steps: * **[Collect Logs and Metrics for ECS](/docs/integrations/amazon-aws/elastic-container-service)**. This version collects [ECS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/available-metrics.html) and [ECS Events using AWS CloudTrail](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail). * **[Collect Logs, Metrics (Container Insights+CloudWatch) and Traces for ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html)**. This version collects [ECS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-metrics.html#available_cloudwatch_metrics), [Container Insights Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html), [ECS Events using AWS CloudTrail](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail), Application Logs and Traces. Metrics collected by Container Insights are charged as custom metrics. For more information about CloudWatch pricing, see[ Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/). This solution enables you to monitor both EC2 and Fargate based ECS deployments. For instructions on collecting this data, refer to the [Amazon Elastic Container Service (ECS) using Container Insights and CloudWatch](/docs/integrations/amazon-aws/elastic-container-service-container-insights-cloudwatch/). -This page has instructions for collecting logs and metrics for the Amazon ECS without Container Insights and Traces app. It uses the following data: -* CloudWatch Metrics -* AWS CloudTrail Events +This documentation has instructions for collecting logs and metrics for the Amazon ECS app without Container Insights and Traces. + +## Log and metric types + +The Sumo Logic app for Amazon ECS without Container Insights and Traces uses the following logs and metrics: +* Amazon CloudWatch Metrics +* Amazon CloudTrail Logs ### Sample log messages @@ -272,7 +276,6 @@ This page has instructions for collecting logs and metrics for the Amazon ECS wi "recipientAccountId":"435456556566" } ``` - ### Sample queries @@ -288,34 +291,74 @@ _sourceCategory=ecs* (DeleteCluster or DeleteService or DeregisterContainerInsta | count by resource_type, _timeslice | transpose row _timeslice column resource_type ``` -## Collect Logs and Metrics for Amazon ECS +## Collecting logs and metrics for Amazon ECS + +### Configure Hosted Collector -This section has instructions for collecting logs and metrics for the Amazon ECS app. +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -### Collect Metrics for Amazon ECS +### Collect Amazon ECS CloudWatch metrics + +Sumo Logic supports collecting metrics using one of the following source types: + +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -1. Sumo Logic supports collecting metrics using two source types: - * Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (recommended) or - * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) :::note - Amazon ECS metrics use the AWS/ECS namespace + Namespace for **Amazon ECS** service is **AWS/ECS**. ::: -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.
Metadata - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -### Collect ECS events using CloudTrail +### Collect Amazon ECS CloudTrail logs -1. Configure a [AWS CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [Fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +3. Confirm that logs are being delivered to the Amazon S3 bucket. + :::note + Namespace for **Amazon ECS** service is **AWS/ECS**. + ::: + +Follow the steps below to collect logs for Amazon ECS: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Centralized AWS CloudTrail log collection + +In case you have a centralized collection of CloudTraillogs and are ingesting them from all accounts into a single Sumo Logic CloudTraillog source, create following Field Extraction Rule to map proper AWS account(s) friendly name/alias. Create it if not already present / update it as required. +```sql +Rule Name: AWS Accounts +Applied at: Ingest Time +Scope (Specific Data): +_sourceCategory=aws/observability/cloudtrail/logs +``` + +#### Parse Expression + +Enter a parse expression to create an “account” field that maps to the alias you set for each sub-account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like this: +```sumo +| json "recipientAccountId" +// Manually map your aws account id with the AWS account alias you setup earlier for individual child account +| "" as account +| if (recipientAccountId = "528560886094", "dev", account) as account +| if (recipientAccountId = "567680881046", "prod", account) as account +| fields account +``` ## Installing the Amazon ECS app @@ -325,7 +368,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -333,12 +378,10 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for Amazon ECS Service is AWS/ECS. - `clustername` The name of the ECS cluster. -## Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityECSCloudTrailLogsFER** to extract fields `region`, `namespace`, `clustername`, and `accountid` will be created as a part of app installation. -The FER **AwsObservabilityECSCloudWatchLogsFER** to extract the `namespace` field will be created as a part of app installation. - ## Viewing the Amazon ECS app dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; diff --git a/docs/integrations/amazon-aws/elasticache.md b/docs/integrations/amazon-aws/elasticache.md index 9017fb255b..aad46a729a 100644 --- a/docs/integrations/amazon-aws/elasticache.md +++ b/docs/integrations/amazon-aws/elasticache.md @@ -15,15 +15,17 @@ The Amazon ElastiCache dashboards provide visibility into key event and performa ## Log and metric types -The Amazon ElastiCache app uses the following logs and metrics: +The Sumo Logic app for Amazon ElastiCache uses the following logs and metrics: +* [Amazon ElastiCache CloudTrail Logs](https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/logging-using-cloudtrail.html) * [Amazon ElastiCache Host-Level Metrics for individual cache nodes](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheMetrics.HostLevel.html) -* [Amazon ElastiCache Cache Engine metrics](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheMetrics.Redis.html) -* [CloudTrail Amazon ElastiCache Data Event](https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/logging-using-cloudtrail.html) - +* [Amazon ElastiCache Cache Engine Metrics](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheMetrics.Redis.html) ### Sample log messages -```json title="Sample CloudTrail Log Message" +
+Sample CloudTrail Log Message + +```json { "eventVersion":"1.05", "userIdentity":{ @@ -72,7 +74,7 @@ The Amazon ElastiCache app uses the following logs and metrics: "recipientAccountId":"123456789038" } ``` - +
### Sample queries @@ -105,35 +107,56 @@ account={{account}} region={{region}} namespace={{namespace}} "\"eventSource\":\ | sort by _timeslice ``` -## Collect Logs and Metrics for Amazon ElastiCache +## Collecting logs and metrics for Amazon ElastiCache + +### Configure Hosted Collector + +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). + +### Collect Amazon ElastiCache CloudWatch metrics + +Sumo Logic supports collecting metrics using one of the following source types: -* Sumo Logic supports collecting metrics using two source types: - * Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (recommended); or - * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) - * Namespace for **Amazon ElastiCache** service is **AWS/ElastiCache** - * **Metadata**: Add an **account** field to the source and assign it a value which is a friendly name / alias to your AWS account from which you are collecting metrics. Metrics can be queried via the “account field”. +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) + :::note + Namespace for **Amazon ElastiCache** service is **AWS/ElastiCache**. + ::: -### Collect Amazon ElastiCache CloudTrail Logs +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -1. To your Hosted Collector, add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md). - * **Name**. Enter a name to display for the new Source. - * **Description**. Enter an optional description. - * **S3 Region**. Select the Amazon Region for your **ElastiCache** S3 bucket. - * **Bucket Name**. Enter the exact name of your **ElastiCache** S3 bucket. - * **Path Expression**. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions).) The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression. - * **Source Category**. Enter aws/observability/cloudtrail/logs - * **Fields**. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - * **Access Key ID and Secret Access Key**. Enter your Amazon [Access Key ID and Secret Access Key](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html). Learn how to use Role-based access to AWS [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources) - * **Log File Discovery -> Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency. Sumo Logic will scan your S3 bucket for new data. Learn how to configure **Log File Discovery** [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). - * **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. - * **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. - * **Timestamp Format.** Select **Automatically detect the format**. - * **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -2. Click **Save**. +### Collect Amazon ElastiCache CloudTrail logs +#### Prerequisites -### Centralized AWS CloudTrail Log Collection +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +2. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). For more information on what events are logged, refer to the [ElastiCache API calls documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/logging-using-cloudtrail.html). +3. Confirm that logs are being delivered to the Amazon S3 bucket. + +:::note +Namespace for **Amazon ElastiCache** service is **AWS/ElastiCache**. +::: + +Follow the steps below to collect logs for Amazon ElastiCache: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Centralized AWS CloudTrail log collection In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following Field Extraction Rule to map a proper AWS account(s) friendly name / alias. Create it if not already present / update it as required. @@ -143,8 +166,9 @@ Applied at: Ingest Time Scope (Specific Data): _sourceCategory=aws/observability/cloudtrail/logs ``` -**Parse Expression**. Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like: +#### Parse Expression +Enter a parse expression to create an `account` field that maps to the alias you set for each sub account. For example, if you used the `dev` alias for an AWS account with ID `528560886094` and the `prod` alias for an AWS account with ID `567680881046`, your parse expression would look like: ```sumo | json "recipientAccountId" @@ -155,7 +179,6 @@ Scope (Specific Data): _sourceCategory=aws/observability/cloudtrail/logs | fields account ``` - ## Installing the Amazon ElastiCache app This section has instructions for installing the Sumo Logic app for **Amazon ElastiCache** and descriptions of each of the app dashboards along with associated use cases. @@ -166,7 +189,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -174,13 +199,12 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for Amazon ElastiCache service is AWS/ElastiCache. - `cacheclusterid` A cache cluster ID is a user-supplied, unique name used to identify and manage an Amazon ElastiCache cluster. -### Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityElastiCacheCloudTrailLogsFER** to extract fields `accountid`, `namespace`, `region`, and `cacheclusterid` will be created as a part of app installation. ## Viewing Amazon ElastiCache dashboards - ### Host Performance Overview **The Amazon ElastiCache - Host Performance Overview** dashboard provides detailed insights into CPU, memory and network performance metrics of hosts running your ElastiCache clusters. @@ -292,4 +316,4 @@ import AppUpdate from '../../reuse/apps/app-update.md'; import AppUninstall from '../../reuse/apps/app-uninstall.md'; - \ No newline at end of file + diff --git a/docs/integrations/amazon-aws/lambda.md b/docs/integrations/amazon-aws/lambda.md index 17d27cbc1a..47572891d5 100644 --- a/docs/integrations/amazon-aws/lambda.md +++ b/docs/integrations/amazon-aws/lambda.md @@ -12,16 +12,16 @@ AWS Lambda allows you to run code without the burden of provisioning or managing The Sumo Logic AWS Lambda App uses the Lambda logs via CloudWatch, CloudWatch Metrics, and the CloudTrail Lambda Data Events to visualize the operational and performance trends in all the Lambda functions in your account. The preconfigured dashboards provide insights into executions, memory, and duration (including cold start) usage by function versions or aliases, errors, billed duration, function callers, IAM users, and threat details. -## Log and Metric Types +## Log and metric types This section describes the data sources for the AWS Lambda app and how the app leverages these data sources to provide insight into AWS Lambda. -The AWS Lambda app uses the following logs and metrics: -* [AWS CloudWatch Logs](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html) -* [CloudTrail Lambda Data Events](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html#cloudtrail-data-events) -* [AWS Lambda metrics](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-metrics.html) +The Sumo Logic app for AWS Lambda uses the following logs and metrics: +* [AWS Lambda CloudTrail Logs](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html#cloudtrail-data-events) +* [AWS Lambda CloudWatch Logs](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html) +* [AWS Lambda Metrics](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-metrics.html) -### AWS CloudWatch Logs +### AWS Lambda CloudWatch logs AWS Lambda monitors Lambda functions and reports metrics through Amazon CloudWatch. Lambda then logs all requests handled by your function and stores logs through [AWS CloudWatch Logs](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html). @@ -29,7 +29,7 @@ The Sumo Logic AWS Lambda App uses the Lambda logs via CloudWatch, CloudWatch Me AWS Lambda -### CloudTrail Lambda Data Events +### AWS Lambda CloudTrail logs [CloudTrail Lambda Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html#logging-data-events) allow you to continuously monitor the execution activity of your Lambda functions and to record details on when and by whom an Invoke API call was made. @@ -37,7 +37,7 @@ The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions inv AWS Lambda -### AWS Lambda CloudWatch Metrics +### AWS Lambda CloudWatch metrics AWS Lambda automatically monitors functions on your behalf, reporting [AWS Lambda metrics](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-metrics.html) through Amazon CloudWatch. These metrics are collected by our Hosted Collector by configuring the Amazon CloudWatch source. @@ -46,7 +46,10 @@ The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions inv ### Sample log messages This section provides sample Amazon CloudWatch Logs and CloudTrail Lambda Data Events log messages. -```json title="Amazon CloudWatch Log" +
+Amazon CloudWatch Log + +```json { "id":"32563142671071560797760688825700039436306340248688066573", "timestamp":1511808906799, @@ -56,8 +59,12 @@ This section provides sample Amazon CloudWatch Logs and CloudTrail Lambda Data E "logGroup":"/aws/lambda/AWSlambda1" } ``` +
+ +
+CloudTrail Lambda Data Events -```json title="CloudTrail Lambda Data Events" +```json { "eventVersion":"1.06", "userIdentity":{ @@ -98,7 +105,7 @@ This section provides sample Amazon CloudWatch Logs and CloudTrail Lambda Data E "recipientAccountId":"111111111111" } ``` - +
### Sample queries @@ -137,81 +144,101 @@ account={{account}} region={{region}} Namespace={{namespace}} namespace=aws/lambda metric=Errors statistic=Sum account=* region=* functionname=* Resource=* | sum ``` -## Collecting logs for the AWS Lambda App +## Collecting logs and metrics for AWS Lambda -This section provides instructions for setting up log and metric collection. +### Configure Hosted Collector -### Collect Amazon CloudWatch Logs +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -Sumo supports several methods for collecting Lambda logs from Amazon CloudWatch. You can choose any of them to collect logs. -- **AWS Kinesis Firehose for Logs**. Configure an [AWS Kinesis Firehose for Logs](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#create-an-aws-kinesis-firehose-for-logssource) (Recommended). -- **Lambda Log Forwarder**. Configure a collection of Amazon CloudWatch Logs using our AWS Lambda function using a Sumo Logic provided CloudFormation template, as described in [Amazon CloudWatch Logs](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/) or configure collection without using CloudFormation, see [Collect Amazon CloudWatch Logs using a Lambda Function](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-lambda-function/).
+### Collect AWS Lambda CloudWatch logs -* While configuring the CloudWatch log source, the following Fields can be added in the source: - * Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the **account** field. - * Add a **region** field and assign it the value of the respective AWS region where the Lambda function exists. - * Add an **accountId** field and assign it the value of the respective AWS account ID being used. +Sumo Logic supports collecting Lambda logs from Amazon CloudWatch using one of the following methods: +- **AWS Kinesis Firehose for Logs**. Configure an [AWS Kinesis Firehose for Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#create-an-aws-kinesis-firehose-for-logssource) (**Recommended**) +- **Lambda Log Forwarder**. There are two ways to set up the Lambda Log Forwarder: + - **With CloudFormation**. Configure the collection of Amazon CloudWatch logs using Sumo Logic-provided CloudFormation template, as described in [Amazon CloudWatch Logs](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/). + - **Without CloudFormation**. Configure the collection of Amazon CloudWatch Logs using a Lambda function, as described in [Collect Amazon CloudWatch Logs using a Lambda Function](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-lambda-function/). -Fields +Follow the steps below to add custom fields when configuring the CloudWatch log source: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Fields +1. Add a `region` field and assign it the value of the respective AWS region where the Lambda function exists. +1. Add an `accountId` field and assign it the value of the respective AWS account ID being used. +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -### Collect CloudTrail Lambda Data Events +### Collect AWS Lambda CloudTrail logs + +:::note +CloudTrail data events will be collected under this source. +::: -To configure a CloudTrail Source, perform these steps: +#### Prerequisites 1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. 2. [Configure DataEvents with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html) in your AWS account. 3. Confirm that logs are being delivered to the Amazon S3 bucket. -4. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md) to Sumo Logic. -5. While configuring the cloud trail log source, the following field can be added to the source: - * Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. -Fields +Follow the steps below to collect logs for AWS Lambda: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. +### Collect AWS Lambda CloudWatch metrics -### Collect Amazon CloudWatch Metrics +Sumo Logic supports collecting metrics using one of the following source types: -Sumo Logic supports collecting metrics using two source types: - -* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (Recommended) - or +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -:::note -Namespace for **Amazon Lambda** Service is **AWS/Lambda**. -::: - -* **Metadata**. Add an **account** field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. The **account** field allows you to query metrics. + :::note + Namespace for **AWS ElastiCache** service is **AWS/ElastiCache**. + ::: -Metadata +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.
Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. Continue with the process of [enabling Provisioned Concurrency configurations](#enable-provisioned-concurrency-configurations-for-lambda-functions) for Lambda functions, as needed. - ### Enable Provisioned Concurrency configurations for Lambda functions AWS Lambda provides Provisioned Concurrency for greater control over the start-up time for Lambda functions. When enabled, [Provisioned Concurrency](https://docs.aws.amazon.com/lambda/latest/dg/provisioned-concurrency.html) keeps functions initialized and hyper-ready to respond in double-digit milliseconds. AWS Lambda provides additional metrics for provisioned concurrency with CloudWatch. To collect the metrics in Sumo Logic, follow the steps below: -1. Jump to the [Collect Amazon CloudWatch Metrics](#collect-amazon-cloudwatch-metrics) section and complete the steps as described. +1. Jump to the [Collect Amazon CloudWatch Metrics](#collect-aws-lambda-cloudwatch-metrics) section and complete the steps as described. 2. Configure Provisioned Concurrency while creating a Lambda function in the AWS Management Console, as shown in the following example. Configure Provisioned Concurrency Once Provisioned Concurrency is enabled and you start collecting CloudWatch metrics, the following new metrics will be available: -| Metric | Description | -|:-----------|:-------------------------| -| **ProvisionedConcurrentExecutions** | Concurrent Executions using Provisioned Concurrency | -| **ProvisionedConcurrencyUtilization** | Fraction of Provisioned Concurrency in use | -| **ProvisionedConcurrencyInvocations** | Number of Invocations using Provisioned Concurrency | +| Metric | Description | +|:--|:--| +| **ProvisionedConcurrentExecutions** | Concurrent Executions using Provisioned Concurrency | +| **ProvisionedConcurrencyUtilization** | Fraction of Provisioned Concurrency in use | +| **ProvisionedConcurrencyInvocations** | Number of Invocations using Provisioned Concurrency | | **ProvisionedConcurrencySpilloverInvocations** | Number of Invocations that are above Provisioned Concurrency | These metrics can then be queried using Sumo Logic [Metrics queries](/docs/metrics/metrics-queries), as shown in the following example: Search Provisioned Concurrency Metrics -### Centralized AWS CloudTrail Log Collection +### Centralized AWS CloudTrail Log collection In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following Field Extraction Rule to map the proper AWS account(s) friendly name/alias. Create it if not already present / update it as required. @@ -221,9 +248,9 @@ Applied at: Ingest Time Scope (Specific Data): _sourceCategory= ``` -**Parse Expression**: +#### Parse Expression -Enter a parse expression to create an “account” field that maps to the alias you set for each sub-account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like: +Enter a parse expression to create an `account` field that maps to the alias you set for each sub-account. For example, if you used the `dev` alias for an AWS account with ID `528560886094` and the `prod` alias for an AWS account with ID `567680881046`, your parse expression would look like: ```sumo | json "recipientAccountId" @@ -234,7 +261,7 @@ Enter a parse expression to create an “account” field that maps to the alias | fields account ``` -## Installing the AWS Lambda App +## Installing the AWS Lambda app Now that you have set up collection for AWS Lambda, install the Sumo Logic App to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. @@ -242,7 +269,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -250,7 +279,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for Amazon Lambda Service is AWS/Lambda. - `functionname` Lambda resource function name. -### Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityLambdaCloudTrailLogsFER** to extract fields `region`, `namespace`, `accountid`, and `functionname` will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/network-load-balancer.md b/docs/integrations/amazon-aws/network-load-balancer.md index 40931ae453..67aa75c36d 100644 --- a/docs/integrations/amazon-aws/network-load-balancer.md +++ b/docs/integrations/amazon-aws/network-load-balancer.md @@ -12,9 +12,72 @@ AWS Network Load Balancer service is distributed in OSI Layer 4 (the network lay The Sumo Logic app for AWS Network Load Balancer is using metrics to provide insights to ensure that your network load-balancers are operating as expected, backend hosts are healthy, and to quickly identify errors. -## Metric types - -The AWS Network Load Balancer app uses AWS Network Load Balancer metrics. +## Log and metric types + +The Sumo Logic app for AWS Network Load Balancer uses the following logs and metrics: +* [AWS Network Load Balancer CloudTrail Logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/cloudtrail-logs.html) +* [AWS Network Load Balancer CloudWatch Metrics](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) + +### Sample logs + +
+Sample CloudTrail Log Message + +```json +{ + "eventVersion": "1.11", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROATIK2E7SUFL6GB4G44:1782467664281479421", + "arn": "arn:aws:sts::224064240808:assumed-role/pdet-eks-irsa-prod-aws-lb-controller/1782467664281479421", + "accountId": "224064240808", + "accessKeyId": "ASIATIK2E7SUH6GUXFK4", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROATIK2E7SUFL6GB4G44", + "arn": "arn:aws:iam::224064240808:role/pdet-eks-irsa-prod-aws-lb-controller", + "accountId": "224064240808", + "userName": "pdet-eks-irsa-prod-aws-lb-controller" + }, + "webIdFederationData": { + "federatedProvider": "arn:aws:iam::224064240808:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/0499F131BE8B24AAE70BF8AD8EB16D3A", + "attributes": {} + }, + "attributes": { + "creationDate": "2026-06-26T09:54:24Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2026-06-26T09:54:25Z", + "eventSource": "elasticloadbalancing.amazonaws.com", + "eventName": "DescribeLoadBalancers", + "awsRegion": "us-west-2", + "sourceIPAddress": "44.241.82.204", + "userAgent": "aws-sdk-go-v2/1.36.3 ua/2.1 os/linux lang/go#1.24.5 md/GOOS#linux md/GOARCH#amd64 api/elasticloadbalancingv2#1.45.0 elbv2.k8s.aws/v2.13.4 m/C,E", + "requestParameters": { + "loadBalancerArns": [ + "arn:aws:elasticloadbalancing:us-west-2:224064240808:loadbalancer/net/k8s-gloosyst-gatewayp-9e3a2f18b7/262e2df5d81d69e3" + ] + }, + "responseElements": null, + "requestID": "b231b530-2877-467d-9a0b-eb9b0fed0f39", + "eventID": "7800ac19-806e-434e-b2b0-aec11ad7d312", + "readOnly": true, + "eventType": "AwsApiCall", + "apiVersion": "2015-12-01", + "managementEvent": true, + "recipientAccountId": "224064240808", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "elasticloadbalancing.us-west-2.amazonaws.com" + } +} +``` +
### Sample queries @@ -22,33 +85,95 @@ The AWS Network Load Balancer app uses AWS Network Load Balancer metrics. account=* region=* LoadBalancer=* Namespace=aws/NetworkELB metric=ActiveFlowCount Statistic=Sum | sum by account, region, namespace, LoadBalancer ``` -## Collecting logs and metrics for the AWS Network Load Balancer +```sql title="Successful Events Details" +account=* region=* "\"eventsource\":\"elasticloadbalancing.amazonaws.com\"" "2015-12-01" +| json "userIdentity", "eventSource", "eventName", "awsRegion", "sourceIPAddress", "userAgent", "eventType", "recipientAccountId", "requestParameters", "responseElements", "requestID", "errorCode", "errorMessage", "apiVersion" as userIdentity, event_source, event_name, region, src_ip, user_agent, event_type, recipient_account_id, requestParameters, responseElements, request_id, error_code, error_message, api_version nodrop +| where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" +| where namespace matches "aws/networkelb" or isEmpty(namespace) +| json field=userIdentity "accountId", "type", "arn", "userName" as accountid, type, arn, username nodrop +| parse field=arn ":assumed-role/*" as user nodrop +| parse field=arn "arn:aws:iam::*:*" as accountid, user nodrop +| json field=requestParameters "name" as networkloadbalancer nodrop +| if (isBlank(accountid), recipient_account_id, accountid) as accountid +| where (tolowercase(networkloadbalancer) matches tolowercase("*")) or isBlank(networkloadbalancer) +| if (isEmpty(error_code), "Success", "Failure") as event_status +| where event_status= "Success" +| if (isEmpty(username), user, username) as user +| count as event_count by event_name +| sort by event_count, event_name asc +``` + +## Collecting logs and metrics for AWS Network Load Balancer + +### Configure Hosted Collector When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). -### Collect metrics +### Collect AWS Network Load Balancer CloudWatch metrics -1. Sumo Logic supports collecting metrics using two source types: - * Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (recommended); or - * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.Metadata - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. +Sumo Logic supports collecting metrics using one of the following source types: -### Collect Cloudtrail logs +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -1. Configure a Network Load Balancing (NLB) [Cloudtrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). -1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. - 1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - 1. Keep in mind: - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. + :::note + Namespace for **AWS Network Load Balancer** service is **AWS/NetworkELB**. + ::: -:::note -Namespace for AWS Network Load Balancer Service is AWS/NetworkELB. -::: +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Collect AWS Network Load Balancer CloudTrail logs + +#### Prerequisites + +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +1. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +1. Confirm that logs are being delivered to the Amazon S3 bucket. + + :::note + Namespace for **AWS Network Load Balancer** service is **AWS/NetworkELB**. + ::: + +Follow the steps below to collect logs for AWS Network Load Balancer (NLB): +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Centralized AWS CloudTrail log collection + +In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following Field Extraction Rule to map a proper AWS account(s) friendly name / alias. Create it if not already present / update it as required. + +```sql +Rule Name: AWS Accounts +Applied at: Ingest Time +Scope (Specific Data): _sourceCategory=aws/observability/cloudtrail/logs +``` + +#### Parse Expression + +Enter a parse expression to create an `account` field that maps to the alias you set for each sub account. For example, if you used the `dev` alias for an AWS account with ID `528560886094` and the `prod` alias for an AWS account with ID `567680881046`, your parse expression would look like: + +```sumo +| json "recipientAccountId" +// Manually map your aws account id with the AWS account alias you setup earlier for individual child account +| "" as account +| if (recipientAccountId = "528560886094", "dev", account) as account +| if (recipientAccountId = "567680881046", "prod", account) as account +| fields account +``` ## Installing the AWS Network Load Balancer app @@ -58,7 +183,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -66,11 +193,11 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for AWS Network Load Balancer Service is AWS/NetworkELB. - `networkloadbalancer` Network Load Balancer name. -## Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityNLBCloudTrailLogsFER** to extract fields `region`, `namespace`, `accountid`, and `networkloadbalancer` will be created as a part of app installation. -## Metric rule(s) +#### Metric rule(s) The Metric Rule **AwsObservabilityNLBMetricsRule** for the AWS/NetworkELB namespace will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/rds.md b/docs/integrations/amazon-aws/rds.md index 5c00cc82f6..7a0ff30426 100644 --- a/docs/integrations/amazon-aws/rds.md +++ b/docs/integrations/amazon-aws/rds.md @@ -26,21 +26,22 @@ To further enhance performance and availability, Amazon RDS Proxy is a fully man The Sumo Logic Amazon RDS Proxy dashboards provide visibility into the performance of Amazon RDS Proxy, helping improve application scalability, availability, and security. They track key metrics, including connection pooling, client connections, authentication outcomes, TLS usage, and query patterns, to optimize connection management and reduce database load. -## Log and metrics types +## Log and metric types -The Amazon RDS app uses the following logs and metrics: -* [RDS CloudWatch Instance Level Metrics](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-metrics.html#rds-cw-metrics-instance), [RDS CloudWatch Aurora Metrics](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.AuroraMySQL.Monitoring.Metrics.html), [Amazon CloudWatch metrics for Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Cloudwatch.html) and [Amazon RDS Proxy metrics](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.monitoring.html). -* [Amazon RDS operations using AWS CloudTrail](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/logging-using-cloudtrail.html). +The Sumo Logic app for Amazon RDS uses the following logs and metrics: +* [Amazon RDS CloudTrail Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/logging-using-cloudtrail.html). * [Publishing RDS CloudWatch Logs, RDS Database logs for Aurora MySQL, RDS MySQL, MariaDB](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.MySQLDB.PublishtoCloudWatchLogs.html). * [Publishing RDS CloudWatch logs, RDS Database logs for Aurora PostgreSQL, RDS PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.Concepts.PostgreSQL.PublishtoCloudWatchLogs) * [Publishing RDS CloudWatch logs, RDS Database logs for RDS MSSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.SQLServer.html#USER_LogAccess.SQLServer.PublishtoCloudWatchLogs) * [Publishing RDS CloudWatch logs, RDS Database logs for RDS Oracle](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.Oracle.html#USER_LogAccess.Oracle.PublishtoCloudWatchLogs) +* [RDS CloudWatch Instance Level Metrics](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-metrics.html#rds-cw-metrics-instance), [RDS CloudWatch Aurora Metrics](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.AuroraMySQL.Monitoring.Metrics.html), [Amazon CloudWatch metrics for Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Cloudwatch.html) and [Amazon RDS Proxy metrics](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.monitoring.html). + ### Sample CloudTrail log message
-Click to expand +Sample CloudTrail Log Message -```json title="CloudTrail" +```json { "eventVersion":"1.05", "userIdentity": @@ -128,9 +129,9 @@ The Amazon RDS app uses the following logs and metrics: ### Sample Database CloudWatch logs
-Click to expand +Recent Warning Events (Error Logs - MySQL) -```json title="Recent Warning Events (Error Logs - MySQL)" +```json { "timestamp":1682606169000, "message":"2023-04-27 14:36:09 14487 [Warning] Access denied for user 'dev'@'1.2.3.4' (using password: YES)", @@ -332,97 +333,129 @@ account=* region=* namespace=aws/rds proxyname=* _sourceHost=/aws/rds/proxy/* "D | fields time, proxyname, dbidentifier, db_host, db_port, db_version ``` -## Collecting logs and metrics for the Amazon RDS app +## Collecting logs and metrics for Amazon RDS + +### Configure Hosted Collector + +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). + +### Collect Amazon RDS CloudWatch metrics + +Sumo Logic supports collecting metrics using one of the following source types: -Sumo Logic supports collecting metrics using two source types: -* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (Recommended); or +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) * Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -* Namespace for **Amazon RDS** Service is **AWS/RDS**. - * ​​​**Metadata**. Add an **account** field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. Metrics can be queried via the “account field”. + + :::note + Namespace for **Amazon RDS** service is **AWS/RDS**. + ::: + +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. ### Collect Amazon RDS CloudTrail logs -1. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md) to your Hosted Collector. - * **Name**. Enter a name to display the new Source. - * **Description**. Enter an optional description. - * **S3 Region**. Select the Amazon Region for your **Amazon RDS** S3 bucket. - * **Bucket Name**. Enter the exact name of your **Amazon RDS** S3 bucket. - * **Path Expression**. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions)). The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression - * **Source Category**. Enter `aws/observability/cloudtrail/logs`. - * **Fields**. Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”. - * **Access Key ID and Secret Access Key**. Enter your Amazon [Access Key ID and Secret Access Key](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html). Learn how to use Role-based access to AWS [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources) - * **Log File Discovery** > **Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency. Sumo Logic will scan your S3 bucket for new data. Learn how to configure **Log File Discovery** [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). - * **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. - * **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. - * **Timestamp Format.** Select **Automatically detect the format**. - * **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -2. Click **Save**. +#### Prerequisites + +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +1. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +1. Confirm that logs are being delivered to the Amazon S3 bucket. + + :::note + Namespace for **Amazon RDS** service is **AWS/RDS**. + ::: + +Follow the steps below to collect logs for Amazon RDS: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. ### Collect Amazon RDS CloudWatch logs -Make sure you enable the following parameters before collecting the Amazon RDS CloudWatch Logs. - -#### MySQL -- Amazon RDS [MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.MySQL.html#USER_LogAccess.MySQLDB.PublishtoCloudWatchLogs) supports [publishing the following MySQL logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.MySQLDB.PublishtoCloudWatchLogs.html): - - Error (enabled by default) - - SlowQuery - - Audit - - General -- You can enable the following additional parameters at [DB Parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithDBInstanceParamGroups.html) for better slow query and general log monitoring: - - `log_slow_admin_statements` - - `log_slow_slave_statements` - - `log_replica_updates` - - `log_queries_not_using_indexes` - - `log_output to FILE` - - `general_log` (to enable, set value to `1`) -- You can configure [DB Cluster Parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) to enable audit logs: - - `server_audit_logging` - - `server_audit_logs_upload` - - `server_audit_events` - -#### PostgreSQL - -- Amazon RDS [PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html) supports [publishing the following PostgreSQL logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.Concepts.PostgreSQL.PublishtoCloudWatchLogs): - - postgresql.log -- You can enable the following additional parameters at [DB parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithDBInstanceParamGroups.html) or [DB Cluster Parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) for slow query, connection, and query execution timing related logs. - - `log_connections` - - `log_duration` - - `log_min_duration_statement` to a value (in milliseconds) over which statements will be logged for any query taking more time than the given value. -:::note -We recommend not setting `log_statement` to any value other than none (default value), since it will slow query logs and ingestion will increase significantly. -::: - -#### MSSQL - -- Amazon RDS [MSSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.SQLServer.html) supports [publishing the following MSSQL logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.SQLServer.html#USER_LogAccess.SQLServer.PublishtoCloudWatchLogs): - - Agent - - Error - -#### Oracle - -- Amazon RDS [Oracle](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.Oracle.html) supports [publishing the following Oracle logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.Oracle.html#USER_LogAccess.Oracle.PublishtoCloudWatchLogs): - - Alert logs - - Audit files - - Listener logs - -#### Proxy -- Amazon RDS [Proxy](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html) supports [publishing the following Proxy logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-creating.html): - - Enhanced logs - :::note - The log group for an AWS RDS Proxy is created automatically. You do not need to create it manually. When you create an RDS Proxy, AWS automatically creates a CloudWatch Log Group to store logs related to the proxy’s activity. - ::: - -Sumo Logic supports several methods for collecting logs from Amazon CloudWatch. You can choose either of them to collect logs: - -- **AWS Kinesis Firehose for Logs**. Configure an [AWS Kinesis Firehose for Logs](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#create-an-aws-kinesis-firehose-for-logssource) (Recommended); or -- **Lambda Log Forwarder**. Configure a collection of Amazon CloudWatch Logs using our AWS Lambda function using a Sumo Logic provided CloudFormation template, as described in [Amazon CloudWatch Logs](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/) or configure collection without using CloudFormation, see [Collect Amazon CloudWatch Logs using a Lambda Function](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-lambda-function/).
- -- While configuring the CloudWatch log source, the following fields can be added in the source: - - Add an **account** field and assign it a value which is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the **account** field. - - Add a **region** field and assign it the value of the respective AWS region where the RDS exists. - - Add an **accountId** field and assign it the value of the respective AWS account ID that is being used. - - Fields +#### Prerequisites + +Esure you enable the following parameters before collecting the Amazon RDS CloudWatch Logs. + +* **MySQL** + + - Amazon RDS [MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.MySQL.html#USER_LogAccess.MySQLDB.PublishtoCloudWatchLogs) supports [publishing the following MySQL logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.MySQLDB.PublishtoCloudWatchLogs.html): + - Error (enabled by default) + - SlowQuery + - Audit + - General + - You can enable the following additional parameters at [DB Parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithDBInstanceParamGroups.html) for better slow query and general log monitoring: + - `log_slow_admin_statements` + - `log_slow_slave_statements` + - `log_replica_updates` + - `log_queries_not_using_indexes` + - `log_output to FILE` + - `general_log` (to enable, set value to `1`) + - You can configure [DB Cluster Parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) to enable audit logs: + - `server_audit_logging` + - `server_audit_logs_upload` + - `server_audit_events` + +* **PostgreSQL** + + - Amazon RDS [PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html) supports [publishing the following PostgreSQL logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.Concepts.PostgreSQL.PublishtoCloudWatchLogs): + - postgresql.log + - You can enable the following additional parameters at [DB parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithDBInstanceParamGroups.html) or [DB Cluster Parameter group](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) for slow query, connection, and query execution timing related logs. + - `log_connections` + - `log_duration` + - `log_min_duration_statement` to a value (in milliseconds) over which statements will be logged for any query taking more time than the given value. + :::note + We recommend not setting `log_statement` to any value other than none (default value), since it will slow query logs and ingestion will increase significantly. + ::: + +* **MSSQL** + + - Amazon RDS [MSSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.SQLServer.html) supports [publishing the following MSSQL logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.SQLServer.html#USER_LogAccess.SQLServer.PublishtoCloudWatchLogs): + - Agent + - Error + +* **Oracle** + + - Amazon RDS [Oracle](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.Oracle.html) supports [publishing the following Oracle logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.Oracle.html#USER_LogAccess.Oracle.PublishtoCloudWatchLogs): + - Alert logs + - Audit files + - Listener logs + +* **Proxy** + + - Amazon RDS [Proxy](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html) supports [publishing the following Proxy logs to CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-creating.html): + - Enhanced logs + :::note + The log group for an AWS RDS Proxy is created automatically. You do not need to create it manually. When you create an RDS Proxy, AWS automatically creates a CloudWatch Log Group to store logs related to the proxy’s activity. + ::: + +Sumo Logic supports collecting logs from Amazon CloudWatch using one of the following methods: +- **AWS Kinesis Firehose for Logs**. Configure an [AWS Kinesis Firehose for Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source/#create-an-aws-kinesis-firehose-for-logssource) (**Recommended**) +- **Lambda Log Forwarder**. There are two ways to set up the Lambda Log Forwarder: + - **With CloudFormation**. Configure the collection of Amazon CloudWatch logs using Sumo Logic-provided CloudFormation template, as described in [Amazon CloudWatch Logs](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/). + - **Without CloudFormation**. Configure the collection of Amazon CloudWatch Logs using a Lambda function, as described in [Collect Amazon CloudWatch Logs using a Lambda Function](/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-lambda-function/). + +Follow the steps below to add custom fields when configuring the CloudWatch log source: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.
Fields +1. Add a `region` field and assign it the value of the respective AWS region where the Lambda function exists. +1. Add an `accountId` field and assign it the value of the respective AWS account ID being used. +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. ### Centralized AWS CloudTrail log collection @@ -434,7 +467,7 @@ Applied at: Ingest Time Scope (Specific Data): _sourceCategory=aws/observability/cloudtrail/logs ``` -**Parse Expression**: +#### Parse Expression Enter a parse expression to create an “account” field that maps to the alias you set for each sub-account. For example, if you used the `“dev”` alias for an AWS account with ID `"528560886094"` and the `“prod”` alias for an AWS account with ID `"567680881046"`, your parse expression would look like: @@ -455,7 +488,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -466,13 +501,13 @@ As part of the app installation process, the following fields will be created by - `dBClusterIdentifier` The identifier of the RDS DB cluster. - `proxyname` The name of the RDS Proxy. -### Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilityRDSCloudTrailLogsFER** to extract fields `region`, `namespace`, `dBInstanceIdentifier`, `dBClusterIdentifier`, `dbidentifier`, `proxyname`, and `accountid` will be created as a part of app installation. The FER **AwsObservabilityRDSCloudWatchLogsFER** to extract fields `namespace`, `dbidentifier`, and `proxyname` will be created as a part of app installation. -### Metric Rules +#### Metric Rules The Metric Rules **AwsObservabilityRDSClusterMetricsRule** and **AwsObservabilityRDSInstanceMetricsRule** for the aws/rds namespace will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/sns.md b/docs/integrations/amazon-aws/sns.md index 8fd9316290..b970737057 100644 --- a/docs/integrations/amazon-aws/sns.md +++ b/docs/integrations/amazon-aws/sns.md @@ -12,39 +12,43 @@ Amazon Simple Notification Service (SNS) is a pub/sub messaging and mobile notif The Sumo Logic app for Amazon SNS collects CloudTrail logs and CloudWatch metrics provides a unified logs and metrics app that provides insights into the operations and utilization of your SNS service. The preconfigured dashboards help you monitor the key metrics by application, platform, region, and topic name, view the SNS events for activities, and help you plan the capacity of your SNS service. -## Log and Metrics types +## Log and metric types -The Sumo Logic app for Amazon SNS uses: -* SNS CloudWatch Metrics. For details, see [here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/sns-metricscollected.html). -* SNS operations using AWS CloudTrail. For details, see [here](https://docs.aws.amazon.com/sns/latest/dg/logging-using-cloudtrail.html). +The Sumo Logic app for Amazon SNS uses the following logs and metrics: +* [Amazon SNS CloudTrail Logs](https://docs.aws.amazon.com/sns/latest/dg/logging-using-cloudtrail.html). +* [Amazon SNS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/sns-metricscollected.html). ### Sample log messages -``` -{ -eventVersion:"1.08", -userIdentity: -{...}, -eventTime:"2022-07-14T23:06:43Z", -eventSource:"sns.amazonaws.com", -eventName:"ListTagsForResource", -awsRegion:"us-east-1", -sourceIPAddress:"config.amazonaws.com", -userAgent:"config.amazonaws.com", -requestParameters: +
+Sample CloudTrail Log Message + +```json { -resourceArn:"arn:aws:sns:us-east-1:956882708938:testnull-SumoCWEmailSNSTopic-1NV3GQ8XZ4DFY" -}, -responseElements:null, -requestID:"d8eee5b8-a894-5db4-994c-bef20b57fc0b", -eventID:"2156cf7f-f18d-47f4-b7ba-7b8a6907390a", -readOnly:true, -eventType:"AwsApiCall", -managementEvent:true, -recipientAccountId:"956882708938", -eventCategory:"Management" + eventVersion:"1.08", + userIdentity: + {...}, + eventTime:"2022-07-14T23:06:43Z", + eventSource:"sns.amazonaws.com", + eventName:"ListTagsForResource", + awsRegion:"us-east-1", + sourceIPAddress:"config.amazonaws.com", + userAgent:"config.amazonaws.com", + requestParameters: + { + resourceArn:"arn:aws:sns:us-east-1:956882708938:testnull-SumoCWEmailSNSTopic-1NV3GQ8XZ4DFY" + }, + responseElements:null, + requestID:"d8eee5b8-a894-5db4-994c-bef20b57fc0b", + eventID:"2156cf7f-f18d-47f4-b7ba-7b8a6907390a", + readOnly:true, + eventType:"AwsApiCall", + managementEvent:true, + recipientAccountId:"956882708938", + eventCategory:"Management" } ``` +
### Sample queries @@ -73,43 +77,65 @@ account={{account}} region={{region}} namespace={{namespace}} "\"eventsource\":\ account={{account}} region={{region}} namespace={{namespace}} TopicName={{topicname}} metric=NumberOfMessagesPublished Statistic=Sum | sum ``` -## Collecting logs and metrics for the Amazon SNS app - -### Collecting Metrics for Amazon SNS - -1. Configure a [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector). -2. Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) or [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (Recommended). -3. Namespaces. Select **aws/sns**. -4. **Metadata**. Add an **account** field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. The **account** field allows you to query metrics.
Metadata -5. Click **Save**. - -### Collecting Amazon SNS Events using CloudTrail - -1. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source.md) to your Hosted Collector. - * **Name**. Enter a name to display for the new Source. - * **Description**. Enter an optional description. - * **S3 Region**. Select the Amazon Region for your SNS S3 bucket. - * **Bucket Name**. Enter the exact name of your SNS S3 bucket. - * **Path Expression**. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. - * DO NOT use a [leading forward slash](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions). - * The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression. - * **Source Category**. Enter a source category. For example, enter `aws/observability/CloudTrail/logs`. - * **Fields**. Add an account field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried using the **account** field.
Fields - * **Access Key ID and Secret Access Key**. Enter your Amazon [Access Key ID and Secret Access Key](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html). Learn how to use Role-based access to AWS [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). - * **Log File Discovery -> Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency. Sumo Logic will scan your S3 bucket for new data. Learn how to configure Log File Discovery [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources). - * **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. - * **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. - * **Timestamp Format.** Select **Automatically detect the format**. - * **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -2. Click **Save**. - -## Centralized AWS CloudTrail Log Collection +## Collecting logs and metrics for Amazon SNS + +### Configure Hosted Collector + +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). + +### Collect Amazon SNS CloudWatch metrics + +Sumo Logic supports collecting metrics using one of the following source types: + +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) + + :::note + Namespace for **Amazon SNS** service is **AWS/SNS**. + ::: + +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +### Collect Amazon SNS CloudTrail logs + +#### Prerequisites + +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +1. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +1. Confirm that logs are being delivered to the Amazon S3 bucket. + + :::note + Namespace for **Amazon SNS** service is **AWS/SNS**. + ::: + +Follow the steps below to collect logs for Amazon SNS: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +## Centralized AWS CloudTrail log collection In case, you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following **Field Extraction Rule** to map a proper AWS account(s) friendly name/alias. Create it if not already present or update it as required. * **Rule Name**: AWS Accounts * **Applied at**: Ingest Time * **Scope (Specific Data)**: `_sourceCategory=aws/observability/cloudtrail/logs` -* **Parse Expression**: Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like: + +### Parse Expression + +Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like: ```sumo | json "recipientAccountId" @@ -128,7 +154,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -136,7 +164,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for Amazon SNS service is aws/sns. - `topicname` Amazon SNS a Topic Name. -## Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilitySNSCloudTrailLogsFER** to extract fields `region`, `namespace`, `accountid`, and `topicname` will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/sqs.md b/docs/integrations/amazon-aws/sqs.md index 4329e8b045..439094a372 100644 --- a/docs/integrations/amazon-aws/sqs.md +++ b/docs/integrations/amazon-aws/sqs.md @@ -10,15 +10,17 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications. The Sumo Logic app for Amazon SQS is a unified logs and metrics (ULM) app that provides operational insights into your Amazon SQS utilization. The preconfigured dashboards help you monitor the key metrics, view the SQS events for queue activities, and help you plan the capacity of your SQS service utilization. -## Log and Metrics types - -The app uses SQS logs and metrics for: -* SQS CloudWatch Metrics. For details, [see here](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-monitoring-using-cloudwatch.html). -* SQS operations using AWS CloudTrail. For details, [see here](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-logging-using-cloudtrail.html). +## Log and metric types +The Sumo Logic app for Amazon SNS uses the following logs and metrics: +* [Amazon SQS CloudTrail Logs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-logging-using-cloudtrail.html). +* [Amazon SQS CloudWatch Metrics](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-monitoring-using-cloudwatch.html). ### Sample log messages +
+Sample CloudTrail Log Message + ```json { "eventVersion":"1.08", @@ -63,6 +65,7 @@ The app uses SQS logs and metrics for: "sessionCredentialFromConsole":"true" } ``` +
### Sample queries @@ -90,50 +93,66 @@ account=* region=* namespace=aws/sqs eventname eventsource "sqs.amazonaws.com" | top 10 username by event_count, username asc ``` -## Collecting logs and metrics for the Amazon SQS app +## Collecting logs and metrics for Amazon SQS + +### Configure Hosted Collector + +When you create an AWS Source, you'll need to identify the Hosted Collector you want to use or create a new Hosted Collector. Once you create an AWS Source, associate it with a Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector). + +### Collect Amazon SQS CloudWatch metrics -### Collect Metrics for AmazonSQS +Sumo Logic supports collecting metrics using one of the following source types: -Sumo Logic supports collecting metrics using two source types: +* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (**recommended**) +* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics) -1. Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source). (recommended) Or -2. Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics). + :::note + Namespace for **Amazon SNS** service is **AWS/SQS**. + ::: - :::note - Namespace for **Amazon SQS** Service is **AWS/SQS** - ::: +Follow the steps below to add custom metadata [fields](/docs/manage/fields) with your metrics: +1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. +1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which metrics are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and metrics can be queried using the `account` field.Metadata +1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. -**Metadata**: Add an account field to the source and assign it a value which is a friendly name / alias to your AWS account from which you are collecting metrics. Metrics can be queried via the “account” field.
Metadata +### Collect Amazon SQS CloudTrail logs -### Collect Amazon SQS Events using CloudTrail +#### Prerequisites -1. To your Hosted Collector, add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source). - * **Name**. Enter a name to display for the new Source. - * **Description**. Enter an optional description. - * **S3 Region**. Select the Amazon Region for your SQS S3 bucket. - * **Bucket Name**. Enter the exact name of your SQS S3 bucket. - * **Path Expression**. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions). - :::note - The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression. - ::: - * **Source Category**. Enter aws/observability/CloudTrail/logs. - * **Fields**. Add an account field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.
Account Fields - * **Access Key ID and Secret Access Key**. Enter your Amazon [Access Key ID and Secret Access Key](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html). - * **Log File Interval > Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data. - * **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. - * **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. - * **Timestamp Format.** Select **Automatically detect the format**. - * **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -2. Click **Save**. +1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. +1. [Create a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). +1. Confirm that logs are being delivered to the Amazon S3 bucket. -## Centralized AWS CloudTrail Log Collection + :::note + Namespace for **Amazon SQS** service is **AWS/SQS**. + ::: + +Follow the steps below to collect logs for Amazon SQS: +1. Configure a [CloudTrail Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/). +1. Add custom metadata [fields](/docs/manage/fields) with your logs: + 1. Click **+Add Field** under **Metadata**. Each field consists of a name (key) and a corresponding value. + 1. Create a field named `account` and assign it a value that represents a friendly name or alias to your AWS account from which logs are collected. This value will appear in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability), and logs can be queried using the `account` field.Metadata + 1. After adding fields, check their status indicators: + * Green check circle A green check mark indicates the field exists and is enabled in the Fields table schema. + * Orange exclamation point An orange exclamation icon indicates the field does not exist or is disabled in the schema. + * You will have the option to automatically add or enable the field. + * If a field is sent but not present or enabled in the schema, it is ignored and marked as **Dropped**. + +## Centralized AWS CloudTrail log collection In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following **Field Extraction Rule** to map a proper AWS account(s) friendly name/alias. Create it if not already present/update it as required. * **Rule Name**: AWS Accounts * **Applied at**: Ingest Time * **Scope (Specific Data)**: _sourceCategory=aws/observability/cloudtrail/logs -* **Parse Expression**: Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like: + +### Parse Expression + +Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like: ```sumo | json "recipientAccountId" @@ -152,7 +171,9 @@ import AppInstall from '../../reuse/apps/app-install-v2.md'; -As part of the app installation process, the following fields will be created by default: +As part of the app installation process, the following **content** will be created by default along with dashboards and monitor template: + +#### Fields - `account` Name / alias to the AWS account. - `accountid` AWS account id. @@ -160,7 +181,7 @@ As part of the app installation process, the following fields will be created by - `namespace` Namespace for Amazon SQS Service is AWS/SQS. - `queuename` Amazon SQS Service Queue Name. -## Field Extraction Rule(s) +#### Field Extraction Rule(s) The FER **AwsObservabilitySQSCloudTrailLogsFER** to extract fields `region`, `namespace`, `accountid`, and `queuename` will be created as a part of app installation. diff --git a/docs/integrations/amazon-aws/threat-intel.md b/docs/integrations/amazon-aws/threat-intel.md index 3154c7a07d..0a65ed4a9b 100644 --- a/docs/integrations/amazon-aws/threat-intel.md +++ b/docs/integrations/amazon-aws/threat-intel.md @@ -24,7 +24,7 @@ The Sumo Logic Threat Intel lookup database is only available with Sumo Logic En If you are not already collecting your AWS logs, follow the instructions below to collect data from one or more of these data sources: * [Collect AWS CloudTrail Logs](/docs/integrations/amazon-aws/cloudtrail#collecting-logs-for-the-aws-cloudtrail-app) -* [Collect AWS ELB Logs](/docs/integrations/amazon-aws/classic-load-balancer#collecting-logs-and-metrics-for-the-aws-classic-load-balancer) +* [Collect AWS ELB Logs](/docs/integrations/amazon-aws/classic-load-balancer#collecting-logs-and-metrics-for-aws-classic-load-balancer) VPC Flow Logs can be published to Amazon CloudWatch Logs and Amazon S3. Each method has advantages. Using an Amazon S3 source is more reliable, while using a CloudFormation template allows you to customize your logs by adding more information and filtering unwanted data. You can use either of the following methods to collect Amazon VPC Flow Logs: * [Using an Amazon S3 source](/docs/integrations/amazon-aws/vpc-flow-logs#collecting-amazon-vpc-flow-logs-using-an-amazon-s3-source) diff --git a/docs/observability/aws/deploy-use-aws-observability/before-you-deploy.md b/docs/observability/aws/deploy-use-aws-observability/before-you-deploy.md index 15f4566e4a..658e4922a0 100644 --- a/docs/observability/aws/deploy-use-aws-observability/before-you-deploy.md +++ b/docs/observability/aws/deploy-use-aws-observability/before-you-deploy.md @@ -42,7 +42,7 @@ If you are already collecting AWS metrics, logs, and/or events, we recommend tha * Set up the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) and configure the AWS CLI as described in the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) if you would like to use an AWS profile for Terraform script based deployment. * For AWS services exporting to CloudWatch Logs, make sure logs are exported to log groups: * RDS - Enable publishing of logs to CloudWatch by following instructions in [Collect Amazon RDS CloudTrail logs](/docs/integrations/amazon-aws/rds/#collect-amazon-rds-cloudwatch-logs). - * API Gateway - Enable Access Logs for each respective API by following instructions in Step 3 of [Collect access logs for AWS API Gateway](/docs/integrations/amazon-aws/api-gateway/#collect-access-logs-for-aws-api-gateway). Make sure you have the following prefix `/aws/apigateway//` while creating the log group. + * API Gateway - Enable Access Logs for each respective API by following instructions in Step 3 of [Collect access logs for AWS API Gateway](/docs/integrations/amazon-aws/api-gateway/#collect-aws-api-gateway-access-logs). Make sure you have the following prefix `/aws/apigateway//` while creating the log group. * AWS Lambda - If you are exporting logs to your custom log group, make sure you have the following prefix `/aws/lambda/` while creating the log group. * The AWS Solution does not enable detailed or enhanced metrics collection by default. * ECS - Enable enhanced metrics for respective cluster. Refer to [AWS documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html). diff --git a/docs/observability/aws/integrations/aws-api-gateway.md b/docs/observability/aws/integrations/aws-api-gateway.md index c6b6ad5cb4..a7e78d94f0 100644 --- a/docs/observability/aws/integrations/aws-api-gateway.md +++ b/docs/observability/aws/integrations/aws-api-gateway.md @@ -10,6 +10,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; [Amazon API Gateway](https://aws.amazon.com/api-gateway/) service allows you to create RESTful APIs, HTTP APIs, and WebSocket APIs for real-time two-way communication applications in containerized and serverless environments, as well as web applications. The Sumo Logic AWS API Gateway app provides insights into API Gateway tasks while accepting and processing concurrent API calls throughout your infrastructure, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management. + ## Log and metrics types  The AWS API Gateway app uses the following logs and metrics: @@ -195,7 +196,7 @@ Use these dashboards to: ### Access Logs Access logs contains information about who has accessed your API and how the caller accessed the API. -To populate the dashboards, you must explicitly [enable access logs](/docs/integrations/amazon-aws/api-gateway/#collect-access-logs-for-aws-api-gateway). +To populate the dashboards, you must explicitly [enable access logs](/docs/integrations/amazon-aws/api-gateway/#collect-aws-api-gateway-access-logs). #### AWS API Gateway - Access Logs - Overview diff --git a/docs/reuse/apps/app-install-v2.md b/docs/reuse/apps/app-install-v2.md index f79d28345e..55b981e068 100644 --- a/docs/reuse/apps/app-install-v2.md +++ b/docs/reuse/apps/app-install-v2.md @@ -13,7 +13,7 @@ Next-Gen App: To install or update the app, you must be an account administrator 1. **Field Name**. If you already have collectors and sources set up, select the configured metadata field name (eg _sourcecategory) or specify other custom metadata (eg: _collector) along with its metadata **Field Value**. 1. Click **Next**. You will be redirected to the **Preview & Done** section. -**Post-installation** +### Post-installation Once your app is installed, it will appear in your **Installed Apps** folder, and dashboard panels will start to fill automatically.