Sending instance logs to CloudWatch Logs (SSM Agent) - AWS Systems Manager

Sending instance logs to CloudWatch Logs (SSM Agent)

AWS Systems Manager Agent (SSM Agent) is Amazon software that runs on your EC2 instances and your hybrid instances (on-premises instances and virtual machines) that are configured for Systems Manager. SSM Agent processes requests from the Systems Manager service in the cloud and configures your machine as specified in the request. For more information about SSM Agent, see Working with SSM Agent.

In addition, following the steps below, you can configure SSM Agent to send log data to Amazon CloudWatch Logs.

Important

The unified CloudWatch agent has replaced SSM Agent as the tool for sending log data to Amazon CloudWatch Logs. Support for using SSM Agent to send log data will be deprecated in the near future. We recommend using only the unified CloudWatch agent for your log collection processes. For more information, see the following topics:

Before You Begin

Create a log group in Amazon CloudWatch Logs. For more information, see Create a log group in CloudWatch Logs in the Amazon CloudWatch Logs User Guide.

To configure SSM Agent to send logs to CloudWatch

  1. Log into an instance and locate the following file:

    Linux

    /etc/amazon/ssm/seelog.xml.template

    Windows

    %ProgramFiles%\Amazon\SSM\seelog.xml.template

  2. Change the file name from seelog.xml.template to seelog.xml.

  3. Open the seelog.xml file in a text editor, and locate the following section.

    Linux
    <outputs formatid="fmtinfo"> <console formatid="fmtinfo"/> <rollingfile type="size" filename="/var/log/amazon/ssm/amazon-ssm-agent.log" maxsize="30000000" maxrolls="5"/> <filter levels="error,critical" formatid="fmterror"> <rollingfile type="size" filename="/var/log/amazon/ssm/errors.log" maxsize="10000000" maxrolls="5"/> </filter> </outputs>
    Windows
    <outputs formatid="fmtinfo"> <console formatid="fmtinfo"/> <rollingfile type="size" maxrolls="5" maxsize="30000000" filename="{{LOCALAPPDATA}}\Amazon\SSM\Logs\amazon-ssm-agent.log"/> <filter formatid="fmterror" levels="error,critical"> <rollingfile type="size" maxrolls="5" maxsize="10000000" filename="{{LOCALAPPDATA}}\Amazon\SSM\Logs\errors.log"/> </filter> </outputs>
  4. Edit the file, and add a custom name element after the closing </filter> tag. In the following example, the custom name as been specified as cloudwatch_receiver.

    Linux
    <outputs formatid="fmtinfo"> <console formatid="fmtinfo"/> <rollingfile type="size" filename="/var/log/amazon/ssm/amazon-ssm-agent.log" maxsize="30000000" maxrolls="5"/> <filter levels="error,critical" formatid="fmterror"> <rollingfile type="size" filename="/var/log/amazon/ssm/errors.log" maxsize="10000000" maxrolls="5"/> </filter> <custom name="cloudwatch_receiver" formatid="fmtdebug" data-log-group="your-CloudWatch-log-group-name"/> </outputs>
    Windows
    <outputs formatid="fmtinfo"> <console formatid="fmtinfo"/> <rollingfile type="size" maxrolls="5" maxsize="30000000" filename="{{LOCALAPPDATA}}\Amazon\SSM\Logs\amazon-ssm-agent.log"/> <filter formatid="fmterror" levels="error,critical"> <rollingfile type="size" maxrolls="5" maxsize="10000000" filename="{{LOCALAPPDATA}}\Amazon\SSM\Logs\errors.log"/> </filter> <custom name="cloudwatch_receiver" formatid="fmtdebug" data-log-group="your-CloudWatch-log-group-name"/> </outputs>
  5. Save your changes, and then restart SSM Agent or the instance.

  6. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  7. In the navigation pane, choose Log groups, and then choose the name of your log group.

    Tip

    The log stream for SSM Agent log file data is organized by instance ID.