Configuring ActiveMQ logs - Amazon MQ

Configuring ActiveMQ logs

To allow Amazon MQ to publish logs to CloudWatch Logs, you must add a permission to your Amazon MQ user and also configure a resource-based policy for Amazon MQ before you create or restart the broker.

The following describes the steps to configure CloudWatch logs for your ActiveMQ brokers.

Understanding the structure of logging in CloudWatch Logs

You can enable general and audit logging when you configure advanced broker settings when you create a broker, or when you edit a broker.

General logging enables the default INFO logging level (DEBUG logging isn't supported) and publishes activemq.log to a log group in your CloudWatch account. The log group has a format similar to the following:

/aws/amazonmq/broker/b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9/general

Audit logging enables logging of management actions taken using JMX or using the ActiveMQ Web Console and publishes audit.log to a log group in your CloudWatch account. The log group has a format similar to the following:

/aws/amazonmq/broker/b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9/audit

Depending on whether you have a single-instance broker or an active/standby broker, Amazon MQ creates either one or two log streams within each log group. The log streams have a format similar to the following.

activemq-b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9-1.log activemq-b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9-2.log

The -1 and -2 suffixes denote individual broker instances. For more information, see Working with Log Groups and Log Streams in the Amazon CloudWatch Logs User Guide.

Add the CreateLogGroup Permission to Your Amazon MQ User

To allow Amazon MQ to create a CloudWatch Logs log group, you must ensure that the IAM user who creates or reboots the broker has the logs:CreateLogGroup permission.

Important

If you don't add the CreateLogGroup permission to your Amazon MQ user before the user creates or reboots the broker, Amazon MQ doesn't create the log group.

The following example IAM-based policy grants permission for logs:CreateLogGroup for users to whom this policy is attached.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }
Note

Here, the term user refers to IAM Users and not Amazon MQ users, which are created when a new broker is configured. For more information regarding setting up IAM users and configuring IAM policies, please refer to the Identity Management Overview section of the IAM User Guide.

For more information, see CreateLogGroup in the Amazon CloudWatch Logs API Reference.

Configure a resource-based policy for Amazon MQ

Important

If you don't configure a resource-based policy for Amazon MQ, the broker can't publish the logs to CloudWatch Logs.

To allow Amazon MQ to publish logs to your CloudWatch Logs log group, configure a resource-based policy to give Amazon MQ access to the following CloudWatch Logs API actions:

  • CreateLogStream – Creates a CloudWatch Logs log stream for the specified log group.

  • PutLogEvents – Delivers events to the specified CloudWatch Logs log stream.

The following resource-based policy grants permission for logs:CreateLogStream and logs:PutLogEvents to AWS.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }

This resource-based policy must be configured by using the AWS CLI as shown by the following command. In the example, replace us-east-1 with your own information.

aws --region us-east-1 logs put-resource-policy --policy-name AmazonMQ-logs \ --policy-document "{\"Version\": \"2012-10-17\", \"Statement\":[{ \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"mq.amazonaws.com\" }, \"Action\": [\"logs:CreateLogStream\", \"logs:PutLogEvents\"], \"Resource\": \"arn:aws:logs:*:*:log-group:\/aws\/amazonmq\/*\" }]}"
Note

Because this example uses the /aws/amazonmq/ prefix, you need to configure the resource-based policy only once per AWS account, per region.

Troubleshooting CloudWatch Logs Configuration

In some cases, CloudWatch Logs might not always behave as expected. This section gives an overview of common issues and shows how to resolve them.

Log Groups Don't Appear in CloudWatch

Add the CreateLogGroup permission to your Amazon MQ user and reboot the broker. This allows Amazon MQ to create the log group.

Log Streams Don't Appear in CloudWatch Log Groups

Configure a resource-based policy for Amazon MQ. This allows your broker to publish its logs.