cloudwatch

edit

This is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/logstash-plugin install logstash-input-cloudwatch.

Pull events from the Amazon Web Services CloudWatch API.

To use this plugin, you must have an AWS account, and the following policy

Typically, you should setup an IAM policy, create a user and apply the IAM policy to the user. A sample policy for EC2 metrics is as follows:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1444715676000",
                "Effect": "Allow",
                "Action": [
                    "cloudwatch:GetMetricStatistics",
                    "cloudwatch:ListMetrics"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Stmt1444716576170",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances"
                ],
                "Resource": "*"
            }
        ]
    }

See http://aws.amazon.com/iam/ for more details on setting up AWS identities.

Configuration Example

    input {
      cloudwatch {
        namespace => "AWS/EC2"
        metrics => [ "CPUUtilization" ]
        filters => { "tag:Group" => "API-Production" }
        region => "us-east-1"
      }
    }
input {
  cloudwatch {
    namespace => "AWS/EBS"
    metrics => ["VolumeQueueLength"]
    filters => { "tag:Monitoring" => "Yes" }
    region => "us-east-1"
  }
}
input {
  cloudwatch {
    namespace => "AWS/RDS"
    metrics => ["CPUUtilization", "CPUCreditUsage"]
    filters => { "EngineName" => "mysql" } # Only supports EngineName, DatabaseClass and DBInstanceIdentifier
    region => "us-east-1"
  }
}

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

cloudwatch {
    filters => ...
}

Available configuration options:

Setting Input type Required Default value

access_key_id

string

No

add_field

hash

No

{}

aws_credentials_file

string

No

codec

codec

No

"plain"

combined

boolean

No

false

filters

array

Yes

interval

number

No

900

metrics

array

No

["CPUUtilization", "DiskReadOps", "DiskWriteOps", "NetworkIn", "NetworkOut"]

namespace

string

No

"AWS/EC2"

period

number

No

300

proxy_uri

string

No

region

string, one of ["us-east-1", "us-west-1", "us-west-2", "eu-central-1", "eu-west-1", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ap-northeast-2", "sa-east-1", "us-gov-west-1", "cn-north-1", "ap-south-1"]

No

"us-east-1"

secret_access_key

string

No

session_token

string

No

statistics

array

No

["SampleCount", "Average", "Minimum", "Maximum", "Sum"]

tags

array

No

type

string

No

use_ssl

boolean

No

true

Details

edit

 

access_key_id

edit
  • Value type is string
  • There is no default value for this setting.

This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:

  1. Static configuration, using access_key_id and secret_access_key params in logstash plugin config
  2. External credentials file specified by aws_credentials_file
  3. Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
  4. Environment variables AMAZON_ACCESS_KEY_ID and AMAZON_SECRET_ACCESS_KEY
  5. IAM Instance Profile (available when running inside EC2)

add_field

edit
  • Value type is hash
  • Default value is {}

Add a field to an event

aws_credentials_file

edit
  • Value type is string
  • There is no default value for this setting.

Path to YAML file containing a hash of AWS credentials. This file will only be loaded if access_key_id and secret_access_key aren’t set. The contents of the file should look like this:

    :access_key_id: "12345"
    :secret_access_key: "54321"

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

combined

edit
  • Value type is boolean
  • Default value is false

Use this for namespaces that need to combine the dimensions like S3 and SNS.

filters

edit
  • This is a required setting.
  • Value type is array
  • There is no default value for this setting.

Specify the filters to apply when fetching resources:

This needs to follow the AWS convention of specifiying filters. Instances: { instance-idi-12344321 } Tags: { "tag:Environment" ⇒ "Production" } Volumes: { attachment.statusattached } Each namespace uniquely support certian dimensions. Please consult the documentation to ensure you’re using valid filters.

interval

edit
  • Value type is number
  • Default value is 900

Set how frequently CloudWatch should be queried

The default, 900, means check every 15 minutes. Setting this value too low (generally less than 300) results in no metrics being returned from CloudWatch.

metrics

edit
  • Value type is array
  • Default value is ["CPUUtilization", "DiskReadOps", "DiskWriteOps", "NetworkIn", "NetworkOut"]

Specify the metrics to fetch for the namespace. The defaults are AWS/EC2 specific. See http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/aws-namespaces.html for the available metrics for other namespaces.

namespace

edit
  • Value type is string
  • Default value is "AWS/EC2"

If undefined, LogStash will complain, even if codec is unused. The service namespace of the metrics to fetch.

The default is for the EC2 service. See http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/aws-namespaces.html for valid values.

period

edit
  • Value type is number
  • Default value is 300

Set the granularity of the returned datapoints.

Must be at least 60 seconds and in multiples of 60.

proxy_uri

edit
  • Value type is string
  • There is no default value for this setting.

URI to proxy server if required

region

edit
  • Value can be any of: us-east-1, us-west-1, us-west-2, eu-central-1, eu-west-1, ap-southeast-1, ap-southeast-2, ap-northeast-1, ap-northeast-2, sa-east-1, us-gov-west-1, cn-north-1, ap-south-1
  • Default value is "us-east-1"

The AWS Region

secret_access_key

edit
  • Value type is string
  • There is no default value for this setting.

The AWS Secret Access Key

session_token

edit
  • Value type is string
  • There is no default value for this setting.

The AWS Session token for temporary credential

statistics

edit
  • Value type is array
  • Default value is ["SampleCount", "Average", "Minimum", "Maximum", "Sum"]

Specify the statistics to fetch for each namespace

tags

edit
  • Value type is array
  • There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

type

edit
  • Value type is string
  • There is no default value for this setting.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.

use_ssl

edit
  • Value type is boolean
  • Default value is true

Should we require (true) or disable (false) using SSL for communicating with the AWS API The AWS SDK for Ruby defaults to SSL so we preserve that