Deploy AWS Observability
You deploy the AWS Observability Solution using an AWS CloudFormation template. The template prompts you to supply values for configuration options, and uses your input to configure the solution for your AWS environment.
This section walks you through the process of executing the AWS CloudFormation template to set up the AWS Observability Solution for a single AWS region and account combination.
Before you start
If this is the first time you've deployed the AWS Observability Solution, read the Before You Deploy topic for information about:
- Prerequisites for installing the solution.
- Things you should keep in mind before you run the CloudFormation template.
- Instructions for setting up Sumo Logic Host Metric Sources on your EC2 hosts.
Review required inputs
The sections below describe the configuration prompts in the CloudFormation template and the information you need to supply. Before you start filling out the template, it’s a good idea to review each section to make sure you know which sections you want to fill out, and that you have the information you need to proceed
Step 1: Open the CloudFormation template
Step 2: Sumo Logic access configuration
Provide a response to each prompt in this section.
| Prompt | Guideline |
|---|---|
| Sumo Logic Deployment Name | Enter au, ca, de, eu, jp, us2, in, fed or us1. For more information on Sumo Logic deployments, see the Sumo Logic Endpoints and Firewall Security topic. |
| Sumo Logic Access ID | Sumo Logic Access ID. For more information, see Create an access key in the Access Keys topic. |
| Sumo Logic Access Key | Sumo Logic Access Key. This key is used for Sumo Logic API calls. |
| Sumo Logic Organization ID | You can find your org on the Preferences page in the Sumo Logic UI. For more information, see the Preferences Page topic. Your org ID will be used to configure the IAM Role for Sumo Logic AWS Sources. |
| Delete Sumo Logic Resources when stack is deleted | To delete collectors, sources and apps in Sumo Logic when the stack is deleted, set this parameter to "True". If this is set to "False", Sumo Logic resources are not deleted when the AWS CloudFormation stack is deleted. Deletion of updated resources will be skipped. |
Step 3: AWS account alias
Provide a response to the prompt in this section.
| Prompt | Guideline |
|---|---|
| Alias for your AWS account | Enter a name for the AWS environment from which you are collecting data. This name will appear in the Sumo Logic Explorer View, metrics and logs. Do not include special characters in the alias. |
Step 4: Sumo Logic AWS Observability apps
You should only install the AWS Observability apps the first time you run the template.
| Prompt | Guideline |
|---|---|
| Install AWS Observability apps | Yes – Installs the apps (AWS EC2, AWS Application Load Balancer, Amazon RDS, AWS API Gateway, AWS Lambda, and AWS DynamoDB) for the Sumo Logic AWS Observability Solution. All the apps are installed in the Sumo Logic AWS Observability Apps Personal folder in Sumo Logic.No – Skips the installation of the apps. |
Step 5: Sumo Logic AWS CloudWatch Metrics and Inventory Source
Provide responses to the prompts in this section.
| Prompt | Guideline |
|---|---|
| Select the Sumo Logic Metrics Sources to create | CloudWatchMetrics - Creates a Sumo Logic CloudWatch Metrics Source, which collects metrics for multiple namespaces from the region selected. InventorySource - Creates a Sumo Logic Inventory Source used by Root Cause Explorer. Both - Installs Both Sumo Logic CloudWatch Metrics and Inventory Source None - Skips the Installation of both the Sumo Logic Sources |
| Sumo Logic AWS Metrics Namespaces | Enter a comma-delimited list of the namespaces which will be used for both AWS CLoudWatch Metrics and Inventory Sources. The default will be AWS/ApplicationELB, AWS/ApiGateway, AWS/DynamoDB, AWS/Lambda, AWS/RDS, AWS/ECS, AWS/ElastiCache, AWS/ELB, AWS/NetworkELB. AWS/AutoScaling will be appended to Namespaces for Inventory Sources. |
| Existing Sumo Logic CloudWatch Metrics Source API URL | You must supply this URL if you are already collecting CloudWatch Metrics. Provide the existing Sumo Logic CloudWatch Metrics Source API URL. For information on how to determine the URL, see View or Download Source JSON Configuration |
Step 6: Sumo Logic AWS ALB Log Source Details
Provide responses to the prompts in this section.
| Prompt | Guideline |
|---|---|
| Enable ALB Access logging | New - Automatically enables collection of logs via Amazon S3 when new Application Load Balancers are created. This does not affect ALB resources already collecting logs. Existing - Enables collection of logs via Amazon S3 for existing Application Load Balancers only. Both - Enables collection of logs for new and existing Application Load Balancers None - Does not enable collection of logs for Application Load Balancers |
| Create Sumo Logic ALB Logs Source | Yes - Creates a Sumo Logic ALB Log Source that collects ALB logs from an existing bucket or a new bucket. No - Select this if you already have an ALB source configured in Sumo Logic. |
| Existing Sumo Logic ALB Logs Source API URL | You must supply this URL if you are already collecting ALB logs. Enter the existing Sumo Logic ALB Source API URL. For information on how to determine the URL, see View or Download Source JSON Configuration. |
| AWS S3 Bucket Name | Provide a name of an existing S3 bucket name where you would like to store ALB logs. If this is empty, a new bucket will be created in the region |
| Path Expression for the Existing ALB logs | This is required in case the above existing bucket is already configured to receive ALB access logs. If this is blank, Sumo Logic will store logs in the path expression:elasticloadbalancing/AWSLogs/* |
Step 7: Sumo Logic AWS CloudTrail Source
Provide responses to the prompts in this section.
| Prompt | Guideline |
|---|---|
| Create Sumo Logic CloudTrail Logs Source | Yes - Creates a Sumo Logic CloudTrail Log Source that collects CloudTrail logs from an existing bucket or new bucket. No - If you already have a CloudTrail Log Source collecting CloudTrail logs. |
| Existing Sumo Logic CloudTrail Logs Source API URL | Required if you are already collecting CloudTrail logs. Provide the existing Sumo Logic CloudTrail Source API URL. For information on how to determine the URL, see View or Download Source JSON Configuration. |
| AWS S3 Bucket Name | Provide a name of an existing S3 bucket where you would like to store CloudTrail logs. If this is empty, a new bucket will be created in the region. |
| Path Expression to the Existing CloudTrail logs | This is required in case the above existing bucket is already configured to receive CloudTrail logs. If this is blank, Sumo Logic will store logs in the path expression:AWSLogs/*/CloudTrail/*/* |
Step 8: Sumo Logic AWS Lambda CloudWatch logs
Provide responses to the prompts in this section.
| Prompt | Guideline |
|---|---|
| Create Sumo Logic CloudWatch Logs Source | Yes - Creates the Sumo Logic CloudWatch Log Source that collects AWS Lambda logs from AWS. No - If you already have a CloudWatch Log source collecting AWS Lambda logs into Sumo Logic. |
| Existing Sumo Logic Lambda CloudWatch Logs Source API URL | Required you already collect AWS Lambda CloudWatch logs. Provide the existing Sumo Logic AWS Lambda CloudWatch Source API URL. For information on how to determine the URL, see View or Download Source JSON Configuration. |
| Subscribe log groups to Sumo Logic Lambda Forwarder | New - Automatically subscribes new AWS Lambda log groups to Lambda, to send logs to Sumo Logic. Existing - Automatically subscribes existing log groups to Lambda, to send logs to Sumo Logic. Both - Automatically subscribes new and existing log groups. None - Skips Automatic subscription of log groups. |
| Regex for Filtering lambda Log Groups | Enter a regex for matching log group names. For more information, see Configuring parameters in the Auto-Subscribe AWS Log Groups to a Lambda Function topic. |
Step 9: Sumo Logic AWS X-Ray Source
Provide responses to the prompts in this section.
| Prompt | Guideline |
|---|---|
| Create Sumo Logic AWS X-Ray Source | Yes - Creates a Sumo Logic AWS X-Ray Source that collects X-Ray Trace Metrics from your AWS account.<\br><\br> No - If you already have a Sumo Logic AWS X-Ray source configured or skip the source creation. |
Step 10: Create stack
- In Capabilities and transforms click each checkbox.
- Click Create Stack.
- Verify that the AWS CloudFormation template has executed successfully in a CREATE_COMPLETE status. This indicates that all the resources have been created successfully in both Sumo Logic and AWS.
- If the AWS CloudFormation template has not run successfully, identify and fix any permission errors till the stack completes with a CREATE_COMPLETE status. See Troubleshooting section for assistance with how to resolve these errors.
- Once the AWS Observability solution has been set up, to make the dashboards are accessible to other users in your Sumo Logic account, you will need to share the folder "Sumo Logic AWS Observability Apps-<Date of installation>" created in the personal library of the user that the Sumo Logic Access keys belong to with the appropriate members of your Sumo Logic account. For instructions on how to share your folders, see Share Content.
Start Monitoring your AWS services
Once the AWS CloudFormation template has completed successfully, you can start monitoring your AWS services as outlined in this document.
Troubleshooting
While deploying the template, you may receive error messages such as CREATE_FAILED status or ROLLBACK_COMPLETE status for various reasons. This section provides information on how to troubleshoot such AWS CloudFormation installation failures.
Determine the cause of a CloudFormation installation failure
This section walks you through the process of troubleshooting an AWS CloudFormation installation failure.
To debug an AWS CloudFormation installation failure, do the following:
- After the stack rollback is complete and the status is ROLLBACK_COMPLETE, go to the parent stack. In the parent stack, look for the first failure as shown in the following example.
The failure can be a direct reason or can point to a nested stack.
- Look for direct reasons for the failure that is available in the parent stack, as shown in the following example.
- To find indirect reasons for the failure, go to the nested stack mentioned in the status reason, as shown in the following example. Take a note of the resources mentioned in the reason.
- Select the deleted option to find the nested stacks, as shown in the following example.
- Go to the nested stack and look for the resource mentioned in the previous step to identify the reason, as shown in the following example.
Optimize CloudTrail log ingest
By default, the AWS Observability solution collects AWS CloudTrail logs for all AWS services. To reduce ingestion volume, you can define processing rules that limit log collection to only the logs that are relevant to dashboards provided by the AWS Observability solution.
You’ll define the processing rules for the Sumo Logic AWS CloudTrail Source that was created when you ran the CloudFormation template.
For instructions, see Create a Processing Rule. Create six rules, selecting Include messages that match as the rule type, using these regular expressions
.*\"eventSource\":\"elasticloadbalancing\.amazonaws\.com\".*
.*\"eventSource\":\"dynamodb\.amazonaws\.com\".*
.*\"eventSource\":\"ec2\.amazonaws\.com\".*
.*\"eventSource\":\"rds\.amazonaws\.com\".*
.*\"eventSource\":\"lambda\.amazonaws\.com\".*
.*\"eventSource\":\"apigateway\.amazonaws\.com\".*
Common errors
Below are some common errors that can occur while using the Cloud Formation template.
| Error | Description | Resolution |
|---|---|---|
| The API rate limit for this user has been exceeded. | This error indicates that AWS CloudFormation execution has exceeded the API rate limit set on the Sumo Logic side. It can occur if you install the AWS CloudFormation template in multiple regions or accounts using the same Access Key and Access ID. | Don't install the AWS CloudFormation template in multiple regions or accounts with the same Access Key and Access ID. |
| S3 Bucket already exists. | The error can occur if: An S3 bucket with the same name exists in S3, or The S3 Bucket is not present in S3 but is referenced by some other AWS CloudFormation stack which created it. |
Remove the S3 bucket from S3 or select “No” in the AWS Cloudformation template for S3 bucket creation. Remove the AWS CloudFormation Stack which references the S3 bucket. |
| The S3 bucket you tried to delete is not empty. | The error can occur while deleting the stack with a non-empty S3 bucket. | Delete the S3 bucket manually if you don't need the bucket or its content in the future. |
Rolling back the AWS Observability Solution
When you roll back the AWS Observability Solution, all the resources that were created with the AWS CloudFormation stack are deleted. The resources deleted with a rollback include AWS Observability Solution apps, collectors, sources, S3 buckets, Lambda functions, IAM roles, bucket policy, SNS topic, and SNS subscriptions.
Rolling back the AWS Observability Solution deletes the main AWS CloudFormation stack, along with the nested stack and associated Sumo Logic and AWS resources. The following rollback guidelines apply:
- Sumo Logic resources are deleted based on the “Delete Sumo Logic Resources when the stack is deleted” flag provided during the AWS CloudFormation configuration. These resources include apps, collectors, and sources.
- AWS resources are deleted by default, regardless of the flag provided. These resources include S3 buckets, Lambda functions, IAM roles, bucket policy, SNS topic, and SNS subscription.
To uninstall the AWS Observability Solution, do the following:
- Log in to your AWS account and go to CloudFormation.
- Select the main stack you want to delete.
