Quick Start: Enable your Amazon EC2 instances running Windows Server 2012 and Windows Server 2008 to send logs to CloudWatch Logs
Tip
CloudWatch includes a new unified agent that can collect both logs and metrics from EC2 instances and on-premises servers. We recommend that you use the newer unified CloudWatch agent. For more information, see Getting started with CloudWatch Logs.
The rest of this section explains the use of the older CloudWatch Logs agent.
Enable your Amazon EC2 instances running Windows Server 2012 and Windows Server 2008 to send logs to CloudWatch Logs
Use the following steps to enable your instances running Windows Server 2012 and Windows Server 2008 to send logs to CloudWatch Logs.
Download the sample configuration file
Download the following sample JSON file to your computer: AWS.EC2.Windows.CloudWatch.json
Configure the JSON file for CloudWatch
You determine which logs to send to CloudWatch by specifying your choices in the JSON configuration file. The process of creating this file and specifying your choices can take 30 minutes or more to complete. After you have completed this task once, you can reuse the configuration file on all of your instances.
Steps
Step 1: Enable CloudWatch Logs
At the top of the JSON file, change "false" to "true" for IsEnabled
:
"IsEnabled": true,
Step 2: Configure settings for CloudWatch
Specify credentials, Region, a log group name, and a log stream namespace. This enables the instance to send log data to CloudWatch Logs. To send the same log data to different locations, you can add additional sections with unique IDs (for example, "CloudWatchLogs2" and CloudWatchLogs3") and a different Region for each ID.
To configure settings to send log data to CloudWatch Logs
-
In the JSON file, locate the
CloudWatchLogs
section.{ "Id": "CloudWatchLogs", "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Parameters": { "AccessKey": "", "SecretKey": "", "Region": "us-east-1", "LogGroup": "Default-Log-Group", "LogStream": "{instance_id}" } },
-
Leave the
AccessKey
andSecretKey
field blank. You configure credentials using an IAM role. -
For
Region
, type the Region to which to send log data (for example,us-east-2
). -
For
LogGroup
, type the name for your log group. This name appears on the Log Groups screen in the CloudWatch console. -
For
LogStream
, type the destination log stream. This name appears on the Log Groups > Streams screen in the CloudWatch console.If you use
{instance_id}
, the default, the log stream name is the instance ID of this instance.If you specify a log stream name that doesn't already exist, CloudWatch Logs automatically creates it for you. You can define a log stream name using a literal string, the predefined variables
{instance_id}
,{hostname}
, and{ip_address}
, or a combination of these.
Step 3: Configure the data to send
You can send event log data, Event Tracing for Windows (ETW) data, and other log data to CloudWatch Logs.
To send Windows application event log data to CloudWatch Logs
-
In the JSON file, locate the
ApplicationEventLog
section.{ "Id": "ApplicationEventLog", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Application", "Levels": "1" } },
-
For
Levels
, specify the type of messages to upload. You can specify one of the following values:-
1
- Upload only error messages. -
2
- Upload only warning messages. -
4
- Upload only information messages.
You can combine values to include more than one type of message. For example, a value of
3
uploads error messages (1
) and warning messages (2
). A value of7
uploads error messages (1
), warning messages (2
), and information messages (4
). -
To send security log data to CloudWatch Logs
-
In the JSON file, locate the
SecurityEventLog
section.{ "Id": "SecurityEventLog", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Security", "Levels": "7" } },
-
For
Levels
, type7
to upload all messages.
To send system event log data to CloudWatch Logs
-
In the JSON file, locate the
SystemEventLog
section.{ "Id": "SystemEventLog", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "System", "Levels": "7" } },
-
For
Levels
, specify the type of messages to upload. You can specify one of the following values:-
1
- Upload only error messages. -
2
- Upload only warning messages. -
4
- Upload only information messages.
You can combine values to include more than one type of message. For example, a value of
3
uploads error messages (1
) and warning messages (2
). A value of7
uploads error messages (1
), warning messages (2
), and information messages (4
). -
To send other types of event log data to CloudWatch Logs
-
In the JSON file, add a new section. Each section must have a unique
Id
.{ "Id": "
Id-name
", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Log-name
", "Levels": "7" } }, -
For
Id
, type a name for the log to upload (for example,WindowsBackup
). -
For
LogName
, type the name of the log to upload. You can find the name of the log as follows.-
Open Event Viewer.
-
In the navigation pane, choose Applications and Services Logs.
-
Navigate to the log, and then choose Actions, Properties.
-
-
For
Levels
, specify the type of messages to upload. You can specify one of the following values:-
1
- Upload only error messages. -
2
- Upload only warning messages. -
4
- Upload only information messages.
You can combine values to include more than one type of message. For example, a value of
3
uploads error messages (1
) and warning messages (2
). A value of7
uploads error messages (1
), warning messages (2
), and information messages (4
). -
To send Event Tracing for Windows data to CloudWatch Logs
ETW (Event Tracing for Windows) provides an efficient and detailed logging mechanism that applications can write logs to. Each ETW is controlled by a session manager that can start and stop the logging session. Each session has a provider and one or more consumers.
-
In the JSON file, locate the
ETW
section.{ "Id": "ETW", "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogName": "Microsoft-Windows-WinINet/Analytic", "Levels": "7" } },
-
For
LogName
, type the name of the log to upload. -
For
Levels
, specify the type of messages to upload. You can specify one of the following values:-
1
- Upload only error messages. -
2
- Upload only warning messages. -
4
- Upload only information messages.
You can combine values to include more than one type of message. For example, a value of
3
uploads error messages (1
) and warning messages (2
). A value of7
uploads error messages (1
), warning messages (2
), and information messages (4
). -
To send custom logs (any text-based log file) to CloudWatch Logs
-
In the JSON file, locate the
CustomLogs
section.{ "Id": "CustomLogs", "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogDirectoryPath": "C:\\CustomLogs\\", "TimestampFormat": "MM/dd/yyyy HH:mm:ss", "Encoding": "UTF-8", "Filter": "", "CultureName": "en-US", "TimeZoneKind": "Local", "LineCount": "5" } },
-
For
LogDirectoryPath
, type the path where logs are stored on your instance. -
For
TimestampFormat
, type the time stamp format to use. For more information about supported values, see the Custom Date and Time Format Stringstopic on MSDN. Important
Your source log file must have the time stamp at the beginning of each log line and there must be a space following the time stamp.
-
For
Encoding
, type the file encoding to use (for example, UTF-8). For more information about supported values, see the Encoding Classtopic on MSDN. Note
Use the encoding name, not the display name.
-
(Optional) For
Filter
, type the prefix of log names. Leave this parameter blank to monitor all files. For more information about supported values, see the FileSystemWatcherFilter Propertytopic on MSDN. -
(Optional) For
CultureName
, type the locale where the time stamp is logged. IfCultureName
is blank, it defaults to the same locale currently used by your Windows instance. For more information about supported values, see theLanguage tag
column in the table in the Product Behaviortopic on MSDN. Note
The
div
,div-MV
,hu
, andhu-HU
values are not supported. -
(Optional) For
TimeZoneKind
, typeLocal
orUTC
. You can set this to provide time zone information when no time zone information is included in your log's time stamp. If this parameter is left blank and if your time stamp doesn't include time zone information, CloudWatch Logs defaults to the local time zone. This parameter is ignored if your time stamp already contains time zone information. -
(Optional) For
LineCount
, type the number of lines in the header to identify the log file. For example, IIS log files have virtually identical headers. You could enter5
, which would read the first three lines of the log file header to identify it. In IIS log files, the third line is the date and time stamp, but the time stamp is not always guaranteed to be different between log files. For this reason, we recommend including at least one line of actual log data to uniquely fingerprint the log file.
To send IIS log data to CloudWatch Logs
-
In the JSON file, locate the
IISLog
section.{ "Id": "IISLogs", "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Parameters": { "LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1", "TimestampFormat": "yyyy-MM-dd HH:mm:ss", "Encoding": "UTF-8", "Filter": "", "CultureName": "en-US", "TimeZoneKind": "UTC", "LineCount": "5" } },
-
For
LogDirectoryPath
, type the folder where IIS logs are stored for an individual site (for example,C:\inetpub\logs\LogFiles\W3SVC
).n
Note
Only W3C log format is supported. IIS, NCSA, and Custom formats are not supported.
-
For
TimestampFormat
, type the time stamp format to use. For more information about supported values, see the Custom Date and Time Format Stringstopic on MSDN. -
For
Encoding
, type the file encoding to use (for example, UTF-8). For more information about supported values, see the Encoding Classtopic on MSDN. Note
Use the encoding name, not the display name.
-
(Optional) For
Filter
, type the prefix of log names. Leave this parameter blank to monitor all files. For more information about supported values, see the FileSystemWatcherFilter Propertytopic on MSDN. -
(Optional) For
CultureName
, type the locale where the time stamp is logged. IfCultureName
is blank, it defaults to the same locale currently used by your Windows instance. For more information about supported values, see theLanguage tag
column in the table in the Product Behaviortopic on MSDN. Note
The
div
,div-MV
,hu
, andhu-HU
values are not supported. -
(Optional) For
TimeZoneKind
, enterLocal
orUTC
. You can set this to provide time zone information when no time zone information is included in your log's time stamp. If this parameter is left blank and if your time stamp doesn't include time zone information, CloudWatch Logs defaults to the local time zone. This parameter is ignored if your time stamp already contains time zone information. -
(Optional) For
LineCount
, type the number of lines in the header to identify the log file. For example, IIS log files have virtually identical headers. You could enter5
, which would read the first five lines of the log file's header to identify it. In IIS log files, the third line is the date and time stamp, but the time stamp is not always guaranteed to be different between log files. For this reason, we recommend including at least one line of actual log data for uniquely fingerprinting the log file.
Step 4: Configure flow control
Each data type must have a corresponding destination in the Flows
section.
For example, to send the custom log, ETW log, and system log to CloudWatch Logs, add
(CustomLogs,ETW,SystemEventLog),CloudWatchLogs
to the Flows
section.
Warning
Adding a step that is not valid blocks the flow. For example, if you add a disk metric step, but your instance doesn't have a disk, all steps in the flow are blocked.
You can send the same log file to more than one destination. For example, to
send the application log to two different destinations that you defined in
the CloudWatchLogs
section, add
ApplicationEventLog,(CloudWatchLogs,CloudWatchLogs2)
to the
Flows
section.
To configure flow control
-
In the
AWS.EC2.Windows.CloudWatch.json
file, locate theFlows
section."Flows": { "Flows": [ "PerformanceCounter,CloudWatch", "(PerformanceCounter,PerformanceCounter2), CloudWatch2", "(CustomLogs, ETW, SystemEventLog),CloudWatchLogs", "CustomLogs, CloudWatchLogs2", "ApplicationEventLog,(CloudWatchLogs, CloudWatchLogs2)" ] }
-
For
Flows
, add each data type that is to be uploaded (for example,ApplicationEventLog
) and its destination (for example,CloudWatchLogs
).
You are now finished editing the JSON file. You use it in a later step.
Start the agent
To enable an Amazon EC2 instance running Windows Server 2012 or Windows Server 2008 to send logs to
CloudWatch Logs, use the EC2Config service (EC2Config.exe)
. Your instance
should have EC2Config 4.0 or later, and you can use this procedure. For more
information about using an earlier version of EC2Config, see Use
EC2Config 3.x or Earlier to Configure CloudWatch in the
Amazon EC2 User Guide
To configure CloudWatch using EC2Config 4.x
-
Check the encoding of the
AWS.EC2.Windows.CloudWatch.json
file that you edited earlier in this procedure. Only UTF-8 without BOM encoding is supported. Then save the file in the following folder on your Windows Server 2008 - 2012 R2 instance:C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\
. -
Start or restart the SSM agent (
AmazonSSMAgent.exe
) using the Windows Services control panel or using the following PowerShell command:PS C:\>
Restart-Service AmazonSSMAgent
After the SSM agent restarts, it detects the configuration file and configures the
instance for CloudWatch integration. If you change parameters and settings in the
local configuration file, you need to restart the SSM agent to pick up the
changes. To disable CloudWatch integration on the instance, change
IsEnabled
to false
and save your changes in the
configuration file.