Skip to main content
Sumo Logic

Collect Logs, Metrics(Container Insights+Cloudwatch) and Traces for ECS

This page has instructions for collecting logs, metrics, and traces for the Amazon ECS App using Container Insights.

This page has instructions for collecting logs and metrics for the Amazon ECS App. It uses following data

  1. Cloudwatch Metrics
  2. Container Insights Metrics
  3. AWS CloudTrail Events
  4. Container Insights Performance log Events
  5. ECS Application Logs
  6. Traces

Creating Fields in Field Schema

Login to Sumo Logic, go to Manage Data > Logs > Fields. Search for the following fields: “account”, “namespace”, “region” field. If not present, create it. Learn how to create and manage fields here.

Creating Field Extraction Rule(s)

Create Field Extraction Rule for CloudTrail Logs. Learn how to create Field Extraction Rule here.

Rule Name: AwsObservabilityECSCloudTrailLogsFER
Applied at: Ingest Time
Scope (Specific Data): 
account=* eventname eventsource "ecs.amazonaws.com"
Parse Expression:
| json "eventSource", "awsRegion", "requestParameters.tableName", "recipientAccountId" as eventSource, region, tablename, accountid nodrop
| where eventSource = "ecs.amazonaws.com"
| "aws/ecs" as namespace
| fields region, namespace, accountid

Create Field Extraction Rule for Container Insights Performance Events Logs of Task and Containers

Rule Name: AwsObservabilityECSPerformanceEventsFER
Applied at: Ingest Time
Scope (Specific Data): 
account=* (Task OR Container)
Parse Expression:
| json  "AccountID","Region", "Type" as accountid, region, Type nodrop
| where Type="Task" or Type="Container"
| "aws/ecs" as namespace
| fields region, namespace, accountid

Centralized AWS CloudTrail Log Collection

In case you have a centralized collection of cloudtrail logs and are ingesting them from all accounts into a single Sumo Logic cloudtrail log source, create following Field Extraction Rule to map proper AWS account(s) friendly name/alias. Create it if not already present / update it as required.

Rule Name: AWS Accounts
Applied at: Ingest Time
Scope (Specific Data): 
_sourceCategory=aws/observability/cloudtrail/logs
Parse Expression:

Enter a parse expression to create an “account” field that maps to the alias you set for each sub-account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like this:

| json "recipientAccountId"
// Manually map your aws account id with the AWS account alias you setup earlier for individual child account
| "" as account
| if (recipientAccountId = "528560886094",  "dev", account) as account
| if (recipientAccountId = "567680881046",  "prod", account) as account
| fields account

Collect Metrics for Amazon ECS

In this step, you set up an Amazon CloudWatch Source for Metrics.

  1. Grant permission for Sumo Logic to list available metrics and get metric data points. For instructions, see Grant Access to an AWS Product.
  2. Configure a Hosted Collector.
  3. In the Sumo web app, select Manage Data > Collection > Collection.
  4. Navigate to the hosted collector you configured above and select Add > Add Source.
  5. Select Amazon CloudWatch Source for Metrics.
  6. Name. Enter a name to display the new source.
  7. Description. Enter an optional description.
  8. Regions. Select your Amazon Regions for ECS.
  9. Namespaces. Select AWS/ECS.
  10. Source Category. Enter ecs_metrics.
  11. AWS Access. There are two options for AWS access: 
    • Role-based access. This is the preferred method. Use this option if you are granted access to Amazon ECS as described in Grant Access to an AWS Product.  For role-based access, enter the Role ARN that was provided by AWS after creating the role. 

    • Key access. Enter the Access Key ID and Secret Access Key. For more information, see Managing Access Keys for IAM Users in AWS help.

  12. Scan Interval. Use the default of 5 minutes, or enter the frequency Sumo Logic will scan your CloudWatch Sources for new data.
  13. Metadata: Add an account field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. This name will appear in the Sumo Logic Explorer View. Metrics can be queried via the “account field”.
    clipboard_eca8922c46ad4fe510a93edf00f1a5d39.png

  14. Click Save.

Collect Container Insights Metrics for Amazon ECS

When you enable Container Insights, CloudWatch collects additional metrics in the ECS/ContainerInsights namespace that describe the status of your ECS tasks, resource usage metrics and the number of running services, containers, and deployments.

In this step, you will enable Container Insights and set up a collection to ingest those metrics.

  1. Enable Container Insights by referring to the AWS docs by using cli or AWS console.
  2. Update the source created in “Collect Metrics for Amazon ECS” section to include “ECS/ContainerInsights” in custom namespaces field.

Collect ECS events using CloudTrail

In this step, you set up an AWS CloudTrail Source to collect ECS events.

  1. Configure CloudTrail in your AWS account. This will create an S3 bucket, if you so choose.
  2. Grant Sumo Logic access to the Amazon S3 bucket.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. In the Sumo web app, select Manage Data > Collection > Collection.
  5. Navigate to the hosted collector you configured above and select Add > Add Source.
  6. Select AWS CloudTrail source.
  7. Name. Enter a name to display the new Source.
  8. Description. Enter an optional description.
  9. S3 Region. Select the Amazon Region for your ECS S3 bucket.
  10. Bucket Name. Enter the exact name of your ECS S3 bucket.
  11. Path Expression. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See Amazon Path Expressions.) 
  12. Source Category. Enter aws/observability/cloudtrail/logs.
  13. Fields. Add an account field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. This name will appear in the Sumo Logic Explorer View. Logs can be queried via the “account field”.
    clipboard_e0c6c53431134a228dbcb4f318be074a3.png
  14. AWS Access. There are two options for AWS access: 
    • Role-based access. This is the preferred method. You can use this option if you granted access to Amazon ECS as described in Grant Access to an AWS Product.  For Role-based access enter the Role ARN that was provided by AWS after creating the role. 

    • For Key access enter the Access Key ID and Secret Access Key. For more information, see Managing Access Keys for IAM Users in AWS help.

  15. Scan Interval. Use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data.
  16. Enable Timestamp Parsing. Select the check box.
  17. Time Zone. Select Ignore time zone from log file and instead use, and select UTC.
  18. Timestamp Format. Select Automatically detect the format.
  19. Enable Multiline Processing. Select the check box, and select Infer Boundaries.
  20. Click Save.

Collect Container Insights performance log events for Task and Container

Container Insights collects data as performance log events using embedded metric format. More details here. In this step we will create a source to collect Task and Container level performance events which are not converted as Cloudwatch metrics.

  1. Configure an AWS Kinesis Firehose for Logs Source.
    Add the fields account, region and namespace as shown below.

  2. Copy the KinesisLogsRoleARN and KinesisLogsDeliveryStreamARN from the outputs tab of Cloudformation 

  3. Go to your Cloudwatch -> Log Groups and click on your cloudwatch log group /aws/ecs/containerinsights/<cluster>/performance 

  4. Click on Create and in opened window fill in the below parameters

    1. Get the delivery stream name from the arn copied in step 2 and fill in the KinesisLogsDeliverStream  field.

    2. Get the role name from the arn copied in step 2 and fill in the role.

    3. Specify the filter pattern `{ $.Type = ”Container” || $.Type = ”Task” }`

    4. Specify the filter name

    5. Test the pattern and click Start streaming 

Collect Application Logs for Amazon ECS

Setup the Container logs collection using the steps in following docs. You can use awsfirelens driver and avoid sending logs to cloudwatch log groups.  Put account, region and namespace fields also while configuring the source.

If your logs are already going to cloudwatch logs groups then you can create a subscription filter to subscribe the log groups to the delivery stream created in the previous step.

Collect Traces for Amazon ECS

In this section, you set up collection for traces

  1. Create a HTTP Traces source by referring to the docs.
  2. Install  Open Telemetry Collector by referring to the docs

Sample Log Message

{
   "eventVersion":"1.04",
   "userIdentity":{
      "type":"AssumedRole",
      "principalId":"ADFDDDFF7FDF7GFFF2DF0:i-76vfa923",
      "arn":"arn:aws:sts::435456556566:assumed-role/ecsInstanceRole/i-76vfa923",
      "accountId":"435456556566",
      "accessKeyId":"AOFGPJFIJFFOIJFIOJHF",
      "sessionContext":{
         "attributes":{
            "mfaAuthenticated":"false",
            "creationDate":"2017-10-02T20:08:54.107Z"
         },
         "sessionIssuer":{
            "type":"Role",
            "principalId":"ADFDDDFF7FDF7GFFF2DF0",
            "arn":"arn:aws:iam::435456556566:role/ecsInstanceRole",
            "accountId":"435456556566",
            "userName":"kevin"
         }
      }
   },
   "eventTime":"2017-10-02T20:08:54.107Z",
   "eventSource":"ecs.amazonaws.com",
   "eventName":"RegisterTaskDefinition",
   "awsRegion":"us-west-1",
   "sourceIPAddress":"73.168.34.72",
   "userAgent":"Amazon ECS Agent - v1.12.2 (ecda8a6) (+http://aws.amazon.com/ecs/)",
   "requestParameters":{
      "attributes":[
         {
            "name":"com.amazonaws.ecs.capability.privileged-container"
         },
         {
            "name":"com.amazonaws.ecs.capability.docker-remote-api.1.17"
         },
         {
            "name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"
         },
         {
            "name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"
         },
         {
            "name":"com.amazonaws.ecs.capability.docker-remote-api.1.20"
         },
         {
            "name":"com.amazonaws.ecs.capability.docker-remote-api.1.21"
         },
         {
            "name":"com.amazonaws.ecs.capability.docker-remote-api.1.22"
         },
         {
            "name":"com.amazonaws.ecs.capability.logging-driver.json-file"
         },
         {
            "name":"com.amazonaws.ecs.capability.logging-driver.syslog"
         },
         {
            "name":"com.amazonaws.ecs.capability.logging-driver.awslogs"
         },
         {
            "name":"com.amazonaws.ecs.capability.ecr-auth"
         },
         {
            "name":"com.amazonaws.ecs.capability.task-iam-role"
         },
         {
            "name":"com.amazonaws.ecs.capability.task-iam-role-network-host"
         }
      ],
      "totalResources":[
         {
            "type":"INTEGER",
            "doubleValue":0.0,
            "integerValue":1024,
            "longValue":0,
            "name":"CPU"
         },
         {
            "type":"INTEGER",
            "doubleValue":0.0,
            "integerValue":995,
            "longValue":0,
            "name":"MEMORY"
         },
         {
            "type":"STRINGSET",
            "stringSetValue":[
               "22",
               "2375",
               "2376",
               "51678",
               "51679"
            ],
            "doubleValue":0.0,
            "integerValue":0,
            "longValue":0,
            "name":"PORTS"
         },
         {
            "type":"STRINGSET",
            "stringSetValue":[ ],
            "doubleValue":0.0,
            "integerValue":0,
            "longValue":0,
            "name":"PORTS_UDP"
         }
      ],
      "instanceIdentityDocumentSignature":"pqWe1trtreertermhC6vz\nZ0e/ZyOVVKXOb0fiiouyuyturtyreuFaoghqQ0wWurXzcHb6CrtreyteV6hPM=",
      "cluster":"graphite",
      "instanceIdentityDocument":"{\n  \"privateIp\" : \"10.0.1.83\",\n  \"devpayProductCodes\" : null,\n  \"availabilityZone\" : \"us-west-1c\",\n  \"accountId\" : \"435456556566\",\n  \"version\" : \"2010-08-31\",\n  \"instanceId\" : \"i-76vfa923\",\n  \"billingProducts\" : null,\n  \"instanceType\" : \"t2.micro\",\n  \"imageId\" : \"ami-444d0224\",\n  \"pendingTime\" : \"2016-11-15T21:07:08Z\",\n  \"architecture\" : \"x86_64\",\n  \"kernelId\" : null,\n  \"ramdiskId\" : null,\n  \"region\" : \"us-west-1\"\n}"
   },
   "responseElements":{
      "containerInstance":{
         "versionInfo":{ },
         "runningTasksCount":0,
         "ec2InstanceId":"i-13dcar4566",
         "remainingResources":[
            {
               "type":"INTEGER",
               "doubleValue":0.0,
               "integerValue":1024,
               "longValue":0,
               "name":"CPU"
            },
            {
               "type":"INTEGER",
               "doubleValue":0.0,
               "integerValue":995,
               "longValue":0,
               "name":"MEMORY"
            },
            {
               "type":"STRINGSET",
               "stringSetValue":[
                  "22",
                  "2376",
                  "2375",
                  "51678",
                  "51679"
               ],
               "doubleValue":0.0,
               "integerValue":0,
               "longValue":0,
               "name":"PORTS"
            },
            {
               "type":"STRINGSET",
               "stringSetValue":[ ],
               "doubleValue":0.0,
               "integerValue":0,
               "longValue":0,
               "name":"PORTS_UDP"
            }
         ],
         "agentConnected":true,
         "pendingTasksCount":0,
         "registeredResources":[
            {
               "type":"INTEGER",
               "doubleValue":0.0,
               "integerValue":1024,
               "longValue":0,
               "name":"CPU"
            },
            {
               "type":"INTEGER",
               "doubleValue":0.0,
               "integerValue":995,
               "longValue":0,
               "name":"MEMORY"
            },
            {
               "type":"STRINGSET",
               "stringSetValue":[
                  "22",
                  "2376",
                  "2375",
                  "51678",
                  "51679"
               ],
               "doubleValue":0.0,
               "integerValue":0,
               "longValue":0,
               "name":"PORTS"
            },
            {
               "type":"STRINGSET",
               "stringSetValue":[ ],
               "doubleValue":0.0,
               "integerValue":0,
               "longValue":0,
               "name":"PORTS_UDP"
            }
         ],
         "containerInstanceArn":"arn:aws:ecs:us-west-1:435456556566:container-instance/3f28c319-u9n2-1476-3d2n-b7c254fv411",
         "attributes":[
            {
               "name":"com.amazonaws.ecs.capability.privileged-container"
            },
            {
               "name":"com.amazonaws.ecs.capability.docker-remote-api.1.17"
            },
            {
               "name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"
            },
            {
               "name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"
            },
            {
               "name":"com.amazonaws.ecs.capability.docker-remote-api.1.20"
            },
            {
               "name":"com.amazonaws.ecs.capability.docker-remote-api.1.21"
            },
            {
               "name":"com.amazonaws.ecs.capability.docker-remote-api.1.22"
            },
            {
               "name":"com.amazonaws.ecs.capability.logging-driver.json-file"
            },
            {
               "name":"com.amazonaws.ecs.capability.logging-driver.syslog"
            },
            {
               "name":"com.amazonaws.ecs.capability.logging-driver.awslogs"
            },
            {
               "name":"com.amazonaws.ecs.capability.ecr-auth"
            },
            {
               "name":"com.amazonaws.ecs.capability.task-iam-role"
            },
            {
               "name":"com.amazonaws.ecs.capability.task-iam-role-network-host"
            }
         ],
         "status":"ACTIVE",
         "version":1
      }
   },
   "requestID":"ae86b372-ab77-11e6-824c-c7c4220f0423",
   "eventID":"ff9fc985-1fbe-4717-965b-607dda32f620",
   "eventType":"AwsApiCall",
   "recipientAccountId":"435456556566"
}

Query Sample

Deleted Resources Over Time

_sourceCategory=ecs* (DeleteCluster or DeleteService or DeregisterContainerInstance or DeregisterTaskDefinition or StopTask) and !(InternalFailure)
| json "eventName" as event_name
| parse "\"userName\":\"*\"" as user 
| parse "\"awsRegion\":\"*\"" as region 
| parse "\"cluster\":\"*\"" as cluster
| timeslice 1h
| parse regex field=event_name "^(?:Delete|Deregister|Stop)(?<resource_type>[A-Z][A-Za-z]+)"
| count by resource_type, _timeslice
| transpose row _timeslice column resource_type