Skip to main content
Sumo Logic

Collect CloudWatch Metrics and CloudTrail logs for the AWS EC2

This page describes the AWS EC2 CW app's data sources and instructions for setting up a metric collection.

This page describes the AWS EC2 app's data sources and instructions for setting up a metric collection.

AWS EC2 CloudWatch Metrics

AWS EC2 automatically monitors functions on your behalf, reporting AWS EC2 metrics through Amazon CloudWatch. These metrics are collected by our Hosted Collector by configuring the Amazon CloudWatch source. 

The Sumo Logic App for AWS EC2 (CloudWatch Metrics) allows you to collect your EC2 instance metrics and display them using predefined dashboards. The App provides dashboards to analyze EC2 instance metrics for CPU, disk, network, EBS, and Health Status Check.

CloudTrail EC2 Data Events

CloudTrail EC2 Data Events allow you to continuously monitor the execution activity of your EC2 instance and record details of all the related events.

Collect Amazon CloudWatch Metrics

To collect Amazon CloudWatch Metrics, see Amazon CloudWatch Source For Metrics.

AWS Namespace tag to filter in source for Lambda will be - AWS/EC2

  • Metadata: Add an account field to the source and assign it a value which is a friendly name / alias to your AWS account from which you are collecting metrics. This name will appear in the Sumo Logic Explorer View. Metrics can be queried via the “account field”.

Collect CloudTrail EC2 Data Events

To configure a CloudTrail Source, perform these steps:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure DataEvents with CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. Add an AWS CloudTrail Source to Sumo Logic.
  5. While configuring the cloud trail log source, following Field can be added in the source:
    1. Add an account field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. This name will appear in the Sumo Logic Explorer View. Logs can be queried via the “account field”.

Field in Field Schema

Login to Sumo Logic,  go to Manage Data > Logs > Fields. Search for the “instanceid” field. If not present, create it. Learn how to create and manage fields here.

Cloud Trail FER

Rule Name: AwsObservabilityEC2CloudTrailLogsFER
Applied at: Ingest Time
Scope (Specific Data): account=* eventname eventsource "ec2.amazonaws.com"

Parse Expression:

| json "eventSource", "awsRegion", "requestParameters", "responseElements", "recipientAccountId" as eventSource, region, requestParameters, responseElements, accountid nodrop
| where eventSource = "ec2.amazonaws.com"
| "aws/ec2" as namespace
| json field=requestParameters "instanceType", "instancesSet", "instanceId", "DescribeInstanceCreditSpecificationsRequest.InstanceId.content" as req_instancetype, req_instancesSet, req_instanceid_1, req_instanceid_2 nodrop
| json field=req_instancesSet "item", "items" as req_instancesSet_item, req_instancesSet_items nodrop
| parse regex field=req_instancesSet_item "\"instanceId\":\s*\"(?<req_instanceid_3>.*?)\"" nodrop
| parse regex field=req_instancesSet_items "\"instanceId\":\s*\"(?<req_instanceid_4>.*?)\"" nodrop
| json field=responseElements "instancesSet.items" as res_responseElements_items nodrop
| parse regex field=res_responseElements_items "\"instanceType\":\s*\"(?<res_instanceType>.*?)\"" nodrop
| parse regex field=res_responseElements_items "\"instanceId\":\s*\"(?<res_instanceid>.*?)\"" nodrop
| if (!isBlank(req_instanceid_1), req_instanceid_1,  if (!isBlank(req_instanceid_2), req_instanceid_2, if (!isBlank(req_instanceid_3), req_instanceid_3, if (!isBlank(req_instanceid_4), req_instanceid_4, "")))) as req_instanceid
| if (!isBlank(req_instanceid), req_instanceid, res_instanceid) as instanceid
| if (!isBlank(req_instancetype), req_instancetype, res_instancetype) as instanceType 
| tolowercase(instanceid) as instanceid
| fields region, namespace, accountid, instanceid

Centralized AWS CloudTrail Log Collection

If you have a centralized collection of cloudtrail logs and are ingesting them from all accounts into a single Sumo Logic cloudtrail log source, create following Field Extraction Rule to map proper AWS account(s) friendly name / alias. Create it if not already present / update it as required.

Rule Name: AWS Accounts
Applied at: Ingest Time
Scope (Specific Data): _sourceCategory=<SourceCategory_of_CloudTrail_source_created_in_sumo>

Parse Expression:

Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like:

| json "recipientAccountId"
// Manually map your aws account id with the AWS account alias you setup earlier for individual child account
| "" as account
| if (recipientAccountId = "528560886094",  "dev", account) as account
| if (recipientAccountId = "567680881046",  "prod", account) as account
| fields account