Menu
Amazon Elastic Compute Cloud
User Guide for Windows Instances

Preliminary Tasks for Configuring Integration with CloudWatch

Complete the following preliminary tasks to configure integration with CloudWatch. These tasks apply to all methods for configuring instances to send logs, events, and performance counters to CloudWatch.

Task 1: Configure the JSON File for CloudWatch

You determine which logs, events, and performance counters are sent to CloudWatch by specifying your choices in a configuration file. The process of creating this file and specifying your choices can take 30 minutes or more to complete. After you have completed this task once, you can reuse the configuration file on all of your instances.

To create a JSON configuration file for CloudWatch

  1. Download the following sample file to your local machine.

    AWS.EC2.Windows.CloudWatch.json.

  2. Specify your logging options in the file by using Steps 1, 2, and 3 in the following sections.

Step 1: Configure Credentials, Region, and NameSpace

In this section, you specify the credentials, region, and metric namespace for CloudWatch. By specifying this information in the file, you enable the instance to communicate with CloudWatch for sending performance counter data. If you don't want to send performance counter data, you can skip to the next procedure. You will specify similar information for sending log data to CloudWatch Logs in the next section. If you want to send the same performance counter data to different locations, you can add additional sections with unique IDs (for example, "CloudWatch2", CloudWatch3", etc.). If you do this, you must specify a different region for each new ID.

Important

If you specify credentials in a configuration file, there is a chance those credentials could be exposed in log files, including debug log files.

  1. In the JSON file, locate the CloudWatch section.

    Copy
    { "Id": "CloudWatch", "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "AccessKey": "", "SecretKey": "", "Region": "us-west-1", "NameSpace": "Windows/Default" } },
  2. In the AccessKey parameter, enter your access key ID.

    Note

    AccessKey and SecretKey are required for the local configuration file method of sending data to CloudWatch. These are not required if you plan to use Systems Manager Run Command or State Manager. For Systems Manager, you configure credentials in the IAM role attached to the instance. You will configure that role later in this section. However, if you want to send performance counter data to CloudWatch, you must specify the other items described in this procedure.

  3. In the SecretKey parameter, enter your secret access key.

  4. In the Region parameter, enter the region where you want to send log data. You can specify us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-southeast-1, ap-southeast-2, or ap-northeast-1. Although you can send performance counters to a different region from where you send your log data, we recommend that you set this parameter to the same region where your instance is running.

  5. In the NameSpace parameter, enter the metric namespace where you want performance counter data to be written in CloudWatch.

To set the credentials, region, log group, and log stream for CloudWatch Logs

In this section, you specify the credentials, region, log group name, and log stream namespace. By specifying this information in the file, you enable the instance to communicate with CloudWatch Logs for sending log data. If you want to send the same log data to different locations, you can add additional sections with unique IDs (for example, "CloudWatchLogs2", CloudWatchLogs3", etc.). If you do this, you must specify a different region for each new ID.

Important

If you specify credentials in a configuration file, there is a chance those credentials could be exposed in log files, including debug log files.

  1. In the JSON file, locate the CloudWatchLogs section.

    Copy
    { "Id": "CloudWatchLogs", "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Parameters": { "AccessKey": "", "SecretKey": "", "Region": "us-east-1", "LogGroup": "Default-Log-Group", "LogStream": "{instance_id}" } },
  2. In the AccessKey parameter, enter your access key ID.

    Note

    AccessKey and SecretKey are required for the local configuration file method of sending data to CloudWatch. These are not required if you plan to use Systems Manager Run Command or State Manager. For Systems Manager, you configure credentials in the IAM role attached to the instance. You will configure that role later in this section. However, if you want to send log data to CloudWatch, you must specify the other items described in this procedure.

  3. In the SecretKey parameter, enter your secret access key.

  4. In the Region parameter, enter the region where you want EC2Config to send log data. You can specify us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-southeast-1, ap-southeast-2, or ap-northeast-1.

  5. In the LogGroup parameter, enter the name for your log group. This is the same name that will be displayed on the Log Groups screen in the CloudWatch console.

  6. In the LogStream parameter, enter the destination log stream. If you use {instance_id}, the default, EC2Config uses the instance ID of this instance as the log stream name.

    If you enter a log stream name that doesn't already exist, CloudWatch Logs automatically creates it for you. You can use a literal string or predefined variables ({instance_id}, {hostname}, {ip_address}, or a combination of all three to define a log stream name.

    The log stream name specified in this parameter appears on the Log Groups > Streams for <YourLogStream> screen in the CloudWatch console.

Step 2: Configure the Data to Send

To configure the performance counters to send to CloudWatch

You can select any performance counters that are available in Performance Monitor. You can select different categories to upload to CloudWatch as metrics, such as .NET CLR Data, ASP.NET Applications, HTTP Service, Memory, or Process and Processors.

For each performance counter that you want to upload to CloudWatch, copy the PerformanceCounter section and change the Id parameter to make it unique (e.g., "PerformanceCounter2") and update the other parameters as necessary.

  1. In the JSON file, locate the PerformanceCounter section.

    Copy
    { "Id": "PerformanceCounter", "FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "CategoryName": "Memory", "CounterName": "Available MBytes", "InstanceName": "", "MetricName": "AvailableMemory", "Unit": "Megabytes", "DimensionName": "", "DimensionValue": "" } },
  2. In the CategoryName parameter, enter the performance counter category.

    1. To find the available categories and counters, open Performance Monitor.

    2. Click Monitoring Tools, and then click Performance Monitor.

    3. In the results pane, click the green + (plus) button.

      The categories and counters are listed in the Add Counters dialog box.

  3. In the CounterName parameter, enter the name of the performance counter.

  4. In the InstanceName parameter, enter valutes from the Add Counters dialog box in Performance Monitor, which can be one of the following:

    • Blank, if the selected object has no instances.

    • A single instance of the selected object.

    • _Total to use the aggregate of all instances.

    Note

    Do not use an asterisk (*) to indicate all instances because each performance counter component only supports one metric.

  5. In the MetricName parameter, enter the CloudWatch metric that you want performance data to appear under.

  6. In the Unit parameter, enter the appropriate unit of measure for the metric:

    Seconds | Microseconds | Milliseconds | Bytes | Kilobytes | Megabytes | Gigabytes | Terabytes | Bits | Kilobits | Megabits | Gigabits | Terabits | Percent | Count | Bytes/Second | Kilobytes/Second | Megabytes/Second | Gigabytes/Second | Terabytes/Second | Bits/Second | Kilobits/Second | Megabits/Second | Gigabits/Second | Terabits/Second | Count/Second | None.

  7. (optional) You can enter a dimension name and value in the DimensionName and DimensionValue parameters to specify a dimension for your metric. These parameters provide another view when listing metrics. You can also use the same dimension for multiple metrics so that you can view all metrics belonging to a specific dimension.

To send Windows application event log data to CloudWatch Logs

  1. In the JSON file, locate the ApplicationEventLog section.

    Copy
    { "Id": "ApplicationEventLog", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Application", "Levels": "1" } },
  2. In the Levels parameter, enter one of the following values:

    1 - Only error messages uploaded.

    2 - Only warning messages uploaded.

    4 - Only information messages uploaded.

    You can add values together to include more than one type of message. For example, 3 means that error messages (1) and warning messages (2) get uploaded. A value of 7 means that error messages (1), warning messages (2), and information messages (4) get uploaded.

To send security log data to CloudWatch Logs

  1. In the JSON file, locate the SecurityEventLog section.

    Copy
    { "Id": "SecurityEventLog", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Security", "Levels": "7" } },
  2. In the Levels parameter, enter 7, so that all messages are uploaded.

To send system event log data to CloudWatch Logs

  1. In the JSON file, locate the SystemEventLog section.

    Copy
    { "Id": "SystemEventLog", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "System", "Levels": "7" } },
  2. In the Levels parameter, enter one of the following values:

    1 - Only error messages uploaded.

    2 - Only warning messages uploaded.

    4 - Only information messages uploaded.

    You can add values together to include more than one type of message. For example, 3 means that error messages (1) and warning messages (2) get uploaded. A value of 7 means that error messages (1), warning messages (2), and information messages (4) get uploaded.

To send other types of event log data to CloudWatch Logs

In addition to the application, system, and security logs, you can upload other types of event logs.

  1. In the JSON file, add a new section.

    Copy
    { "Id": "", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "", "Levels": "7" } },
  2. In the Id parameter, enter a name for the log you want to upload (e.g., WindowsBackup).

  3. In the LogName parameter, enter the name of the log you want to upload.

    1. To find the name of the log, in Event Viewer, in the navigation pane, click Applications and Services Logs.

    2. In the list of logs, right-click the log you want to upload (e.g., Microsoft>Windows>Backup>Operational), and then click Create Custom View.

    3. In the Create Custom View dialog box, click the XML tab. The LogName is in the <Select Path=> tag (e.g., Microsoft-Windows-Backup). Copy this text into the LogName parameter in the AWS.EC2.Windows.CloudWatch.json file.

  4. In the Levels parameter, enter one of the following values:

    1 - Only error messages uploaded.

    2 - Only warning messages uploaded.

    4 - Only information messages uploaded.

    You can add values together to include more than one type of message. For example, 3 means that error messages (1) and warning messages (2) get uploaded. A value of 7 means that error messages (1), warning messages (2), and information messages (4) get uploaded.

To send Event Tracing (Windows) data to CloudWatch Logs

ETW (Event Tracing for Windows) provides an efficient and detailed logging mechanism that applications can write logs to. Each ETW is controlled by a session manager that can start and stop the logging session. Each session has a provider and one or more consumers.

  1. In the JSON file, locate the ETW section.

    Copy
    { "Id": "ETW", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Microsoft-Windows-WinINet/Analytic", "Levels": "7" } },
  2. In the LogName parameter, enter the name of the log you want to upload.

    1. To find the name of the log, in Event Viewer, on the View menu, click Show Analytic and Debug Logs.

    2. In the navigation pane, click Applications and Services Logs.

    3. In the list of ETW logs, right-click the log you want to upload, and then click Enable Log.

    4. Right-click the log again, and click Create Custom View.

    5. In the Create Custom View dialog box, click the XML tab. The LogName is in the <Select Path=> tag (e.g., Microsoft-Windows-WinINet/Analytic). Copy this text into the LogName parameter in the AWS.EC2.Windows.CloudWatch.json file.

  3. In the Levels parameter, enter one of the following values:

    1 - Only error messages uploaded.

    2 - Only warning messages uploaded.

    4 - Only information messages uploaded.

    You can add values together to include more than one type of message. For example, 3 means that error messages (1) and warning messages (2) get uploaded. A value of 7 means that error messages (1), warning messages (2), and information messages (4) get uploaded.

To send custom logs (any text-based log file) to CloudWatch Logs

  1. In the JSON file, locate the CustomLogs section.

    Copy
    { "Id": "CustomLogs", "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogDirectoryPath": "C:\\CustomLogs\\", "TimestampFormat": "MM/dd/yyyy HH:mm:ss", "Encoding": "UTF-8", "Filter": "", "CultureName": "en-US", "TimeZoneKind": "Local", "LineCount": "5" } },
  2. In the LogDirectoryPath parameter, enter the path where logs are stored on your instance.

  3. In the TimestampFormat parameter, enter the timestamp format you want to use. For a list of supported values, see the Custom Date and Time Format Strings topic on MSDN.

    Important

    Your source log file must have the timestamp at the beginning of each log line and there must be a space following the timestamp.

  4. In the Encoding parameter, enter the file encoding to use (e.g., UTF-8). For a list of supported values, see the Encoding Class topic on MSDN.

    Note

    Use the encoding name, not the display name, as the value for this parameter.

  5. (optional) In the Filter parameter, enter the prefix of log names. Leave this parameter blank to monitor all files. For a list of supported values, see the FileSystemWatcherFilter Property topic on MSDN.

  6. (optional) In the CultureName parameter, enter the locale where the timestamp is logged. If CultureName is blank, it defaults to the same locale currently used by your Windows instance. For a list of supported values, see the National Language Support (NLS) API Reference topic on MSDN.

    Note

    The div, div-MV, hu, and hu-HU values are not supported.

  7. (optional) In the TimeZoneKind parameter, enter Local or UTC. You can set this to provide time zone information when no time zone information is included in your log’s timestamp. If this parameter is left blank and if your timestamp doesn’t include time zone information, CloudWatch Logs defaults to the local time zone. This parameter is ignored if your timestamp already contains time zone information.

  8. (optional) In the LineCount parameter, enter the number of lines in the header to identify the log file. For example, IIS log files have virtually identical headers. You could enter 5, which would read the first three lines of the log file's header to identify it. In IIS log files, the third line is the date and time stamp, but the time stamp is not always guaranteed to be different between log files. For this reason, we recommend including at least one line of actual log data for uniquely fingerprinting the log file.

To send IIS log data to CloudWatch Logs

  1. In the JSON file, locate the IISLog section.

    Copy
    { "Id": "IISLogs", "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1", "TimestampFormat": "yyyy-MM-dd HH:mm:ss", "Encoding": "UTF-8", "Filter": "", "CultureName": "en-US", "TimeZoneKind": "UTC", "LineCount": "5" } },
  2. In the LogDirectoryPath parameter, enter the folder where IIS logs are stored for an individual site (e.g., C:\\inetpub\\logs\\LogFiles\\W3SVCn).

    Note

    Only W3C log format is supported. IIS, NCSA, and Custom formats are not supported.

  3. In the TimestampFormat parameter, enter the timestamp format you want to use. For a list of supported values, see the Custom Date and Time Format Strings topic on MSDN.

  4. In the Encoding parameter, enter the file encoding to use (e.g., UTF-8). For a list of supported values, see the Encoding Class topic on MSDN.

    Note

    Use the encoding name, not the display name, as the value for this parameter.

  5. (optional) In the Filter parameter, enter the prefix of log names. Leave this parameter blank to monitor all files. For a list of supported values, see the FileSystemWatcherFilter Property topic on MSDN.

  6. (optional) In the CultureName parameter, enter the locale where the timestamp is logged. If CultureName is blank, it defaults to the same locale currently used by your Windows instance. For a list of supported values, see the National Language Support (NLS) API Reference topic on MSDN.

    Note

    The div, div-MV, hu, and hu-HU values are not supported.

  7. (optional) In the TimeZoneKind parameter, enter Local or UTC. You can set this to provide time zone information when no time zone information is included in your log's timestamp. If this parameter is left blank and if your timestamp doesn’t include time zone information, CloudWatch Logs defaults to the local time zone. This parameter is ignored if your timestamp already contains time zone information.

  8. (optional) In the LineCount parameter, enter the number of lines in the header to identify the log file. For example, IIS log files have virtually identical headers. You could enter 5, which would read the first five lines of the log file's header to identify it. In IIS log files, the third line is the date and time stamp, but the time stamp is not always guaranteed to be different between log files. For this reason, we recommend including at least one line of actual log data for uniquely fingerprinting the log file.

Step 3: Configure Flow Control

In order to send data to CloudWatch, each data type must have a corresponding destination listed in the Flows section. For example, to send a performance counter defined in the "Id": "PerformanceCounter" section of the JSON file to the CloudWatch destination defined in the "Id": "CloudWatch" section of the JSON file, you would enter "PerformanceCounter,CloudWatch" in the Flows section. Similarly, to send the custom log, ETW log, and system log to CloudWatch Logs, you would enter "(CustomLogs, ETW,SystemEventLog),CloudWatchLogs". In addition, you can send the same performance counter or log file to more than one destination. For example, to send the application log to two different destinations that you defined in the "Id": "CloudWatchLogs" section of the JSON file, you would enter "ApplicationEventLog,(CloudWatchLogs, CloudWatchLogs2)" in the Flows section.

Note

Any invalid step in a flow can block the flow. For example, If you have a disk metric step configured, but your instance does not have a disk, all steps in the flow will be blocked.

  1. In the JSON file, locate the Flows section.

    Copy
    "Flows": { "Flows": [ "PerformanceCounter,CloudWatch", "(PerformanceCounter,PerformanceCounter2), CloudWatch2", "(CustomLogs, ETW, SystemEventLog),CloudWatchLogs", "CustomLogs, CloudWatchLogs2", "ApplicationEventLog,(CloudWatchLogs, CloudWatchLogs2)" ] }
  2. In the Flows parameter, enter each data type that you want to upload (e.g., ApplicationEventLog) and destination where you want to send it (e.g., CloudWatchLogs).

Task 2: Create an IAM User and Role for Systems Manager

If you plan to use the local configuration file method with local credentials, then you can skip to Task 4. If you plan to use an IAM role for instance credentials, then you must create an IAM role that enables Systems Manager to perform actions on the instance. This is required for Systems Manager Run Command and State Manager. The procedure is optional for the local configuration method. Optionally, you can create a unique IAM user account for configuring and running Systems Manager. For information about how to create the IAM role for Systems Manager and the optional IAM user account, see Configuring Access to Systems Manager. For information about how to attach an IAM role to an existing instance, see Attaching an IAM Role to an Instance. After you complete the task of configuring an IAM role, continue with Task 3 in the next section.

Task 3: Verify Systems Manager Prerequisites

If you plan to use the local configuration file method, then you can skip to Task 4. If you plan to use either Systems Manager Run Command or State Manager to configure integration with CloudWatch, then you must verify that your instances meet the minimum requirements. For more information, see Systems Manager Prerequisites.

Task 4: Verify Internet Access

Your Amazon EC2 Windows Server instances and managed instances must have outbound internet access in order to send log and event data to CloudWatch. For more information about how to configure internet access, see Internet Gateways in the Amazon VPC User Guide.

Next Step

After you complete the preliminary tasks for configuring integration with CloudWatch, you can perform the procedure required to complete the integration. For more information, see Configure Instances for CloudWatch.