How to forward Windows event logs to cloud watch in 5 easy steps
3 min readJan 26, 2020
Step 1:
===========
- Open Explorer on server and Navigate to C:\Drive
- Create a folder and name it. I used the following name for this example: “awscloudwatchagent”.
Step 2:
===========
- Open PowerShell and PowerShell ISE as “ADMINISTRATOR”
- Run Power Shell Command to install Cloudwatch-agent.msi :
Invoke-WebRequest https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi -OutFile ‘C:\awscloudwatchagent\amazon-cloudwatch-agent.msi’
step 3:
===========
Browse to
File path where the agent is installed. See Example Below:
PS C:\Program Files\Amazon\AmazonCloudWatchAgent>
- Right-click and run as administrator “amazon-cloudwatch-agent-config-wizard.exe”
- Follow the Prompt and answer questions. This will create a “config.json” file that will be used to configure logging details and locations in Cloud Watch. See article for additional questions:
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-cloudwatch-agent-configuration-file-wizard.html
- Json file for Logs / Json file example:
- config.json file:
{
“logs”: {
“logs_collected”: {
“windows_events”: {
“collect_list”: [
{
“event_format”: “xml”,
“event_levels”: [
“VERBOSE”,
“INFORMATION”,
“WARNING”,
“ERROR”,
“CRITICAL”
],
“event_name”: “System”,
“log_group_name”: “EC2_EventLogs”,
“log_stream_name”: “{instance_id}”
},
{
“event_format”: “xml”,
“event_levels”: [
“VERBOSE”,
“INFORMATION”,
“WARNING”,
“ERROR”,
“CRITICAL”
],
“event_name”: “Security”,
“log_group_name”: “EC2_EventLogs”,
“log_stream_name”: “{instance_id}”
},
{
“event_format”: “xml”,
“event_levels”: [
“VERBOSE”,
“INFORMATION”,
“WARNING”,
“ERROR”,
“CRITICAL”
],
“event_name”: “Application”,
“log_group_name”: “EC2_EventLogs”,
“log_stream_name”: “{instance_id}”
}
]
}
}
},
“metrics”: {
“append_dimensions”: {
“AutoScalingGroupName”: “${aws:AutoScalingGroupName}”,
“ImageId”: “${aws:ImageId}”,
“InstanceId”: “${aws:InstanceId}”,
“InstanceType”: “${aws:InstanceType}”
},
“metrics_collected”: {
“LogicalDisk”: {
“measurement”: [
“% Free Space”
],
“metrics_collection_interval”: 60,
“resources”: [
“*”
]
},
“Memory”: {
“measurement”: [
“% Committed Bytes In Use”
],
“metrics_collection_interval”: 60
},
“Paging File”: {
“measurement”: [
“% Usage”
],
“metrics_collection_interval”: 60,
“resources”: [
“*”
]
},
“PhysicalDisk”: {
“measurement”: [
“% Disk Time”,
“Disk Write Bytes/sec”,
“Disk Read Bytes/sec”,
“Disk Writes/sec”,
“Disk Reads/sec”
],
“metrics_collection_interval”: 60,
“resources”: [
“*”
]
},
“Processor”: {
“measurement”: [
“% User Time”,
“% Idle Time”,
“% Interrupt Time”
],
“metrics_collection_interval”: 60,
“resources”: [
“*”
]
},
“TCPv4”: {
“measurement”: [
“Connections Established”
],
“metrics_collection_interval”: 60
},
“TCPv6”: {
“measurement”: [
“Connections Established”
],
“metrics_collection_interval”: 60
},
“statsd”: {
“metrics_aggregation_interval”: 60,
“metrics_collection_interval”: 10,
“service_address”: “:8125”
}
}
}
}
Step 4:
===========
- Open PowerShell
- Navigate to File path where agent is installed. See Example Below:
- PS C:\Program Files\Amazon\AmazonCloudWatchAgent
- Run The following command to fetch logs:
.\amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:config.json -s
- Successfully fetched the config and saved in the following location:
C:\ProgramData\Amazon\AmazonCloudWatchAgent\Configs\file_config.json.tmp
- You should receive the below Output:
- Note- this command will also start the “AmazonCloudWatchAgent” Service. Everytime a modification is made to the config.json file this service will need to be restarted.)
If you want to see status of agent run the following PowerShell command:
& $Env:ProgramFiles\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1 -m ec2 -a status
Step 5:
===========
- Verify that the correct Log name group in Aws Console now has logs in it. You can do this by using the specific instance Id that you are attempting to collect windows event logs from. (SEE EXAMPLE BELOW)
- Select instance ID to ensure logs are present. You should see the below output: