CloudWatch

This guide provides step-by-step instructions for integrating your Amazon Web Services (AWS) CloudWatch logs with slaOS. This integration allows slaOS to collect metrics, logs, and other critical data necessary to monitor your AWS environment effectively.

Prerequisites

Before you begin, ensure you have the following:

• An active AWS account with administrative access

• Access to AWS Identity and Access Management (IAM)

• Your slaOS account credentials

Integration Steps

Step 1: Creating an AWS IAM Policy

To enable slaOS to access your CloudWatch logs, you need to create an AWS IAM policy with the necessary permissions.

1. Log into AWS Management Console: Navigate to the IAM service.

2. Create a New Policy: Use the JSON editor and paste the following policy document:

   Copy

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "LogAccess",
         "Effect": "Allow",
         "Action": [
           "logs:FilterLogEvents",
           "logs:DescribeLogGroups"
         ],
         "Resource": "arn:aws:logs:*:*:*"
       }
     ]
   }

3. Name the Policy: Assign a name such as RatedSLIQueryAccessPolicy.

4. Review and Create: Complete the policy creation process.

Step 2: Creating an AWS IAM User

Next, create an IAM user to associate with the slaOS integration.

1. Navigate to IAM Users: In the IAM console, click on "Users" in the left sidebar, then select "Add user."

2. Configure User Details:

   • Choose a username (e.g., RatedIntegrationUser).

   • Select "Access key - Programmatic access" for the AWS access type.

3. Attach the Policy:

   • On the permissions page, select "Attach existing policies directly."

   • Search for and select the RatedSLIQueryAccessPolicy created earlier.

4. Finalize User Creation: Review and create the user.

Step 3: Generating and Managing Access Keys

Once the user is created, generate the access keys necessary for slaOS to access your logs.

1. Download the Access Keys: On the "Success" page, download the CSV file containing the access key ID and secret access key.

2. Missed Download? If you missed this step, you can generate a new secret access key for the IAM user later via the IAM console.

Step 4: Submitting keys to slaOS

After generating your AWS access keys, the next step is to add these credentials to slaOS for verification:

slaOS dashboard

Self-hosted

1. During the onboarding process in the slaOS user interface, you'll be prompted to enter your AWS credentials.

2. Input your AWS Access Key ID and Secret Access Key in the designated fields.

1. The slaOS system will automatically verify your credentials to ensure they have the necessary permissions.

2. Depending on your integration needs, slaOS will verify access to logs, metrics, or both.

Step 5: Selecting Log Groups and Streams

For slaOS to effectively query and parse your logs, it is essential to define the correct scopes. Scopes determine which parts of your log data will be accessible to slaOS, including the following:

• Log Groups: Specify the CloudWatch log groups that should be included.

• Log Streams: Define the log streams within each group that contain relevant data. It is not mandatory to specify this.

Step 6: Using CloudWatch Filter Patterns (Optional)

When setting up your CloudWatch logs for slaOS, you may want to use CloudWatch's native filter_pattern tool to filter logs. This tool allows you to specify which logs should be included based on your defined patterns.

Filter pattern syntax for metric filters, subscription filters, filter log events, and Live Tail - Amazon CloudWatch LogsAmazon CloudWatch Logs

Frequently Asked Questions (FAQ)

Can I restrict access to specific log groups or regions?

Yes: You can modify the Resource field in the IAM policy. For example:

• To restrict access to a specific region: "arn:aws:logs:us-west-2:*:*"

• To restrict access to specific log groups: "arn:aws:logs:*:*:log-group:/aws/lambda/my-function:*"

What happens if I need to rotate my AWS access keys?

Generate new access keys in the AWS IAM console and update them in your slaOS integration settings. Ensure you delete the old keys after confirming the new ones work.

How often does slaOS collect data from CloudWatch?

slaOS collects data in near real-time, typically with a delay of a few minutes depending on CloudWatch's own latency.

Is it safe to use the ingestion_key in logs?

The ingestion_key is not an API key or bearer token and does not provide access to other slaOS functionalities. While it has limited access, it's important to understand its security implications:

For any additional questions or issues, please contact the slaOS support team on Slack.