Cloudwatch Metrics, Log Group Metrics and Dashboards in AWS
When you start creating a new dashboard in Cloudwatch, you will be prompted to add a widget. The widget can contain pre-built metrics (e.g. CPU Utilization, VPN datain, dataout) or can be based on custom metrics that are built off log queries.
The actual log queries need a log group to work off of.
Which Log Groups are of interest?
The two most important log groups are FlowLogsGroup and aws-ControlTower/CloudTrailLogs
Control Tower Centralized Logging
Control tower provides ONE management account and upto two OUs (the Security OU and an optional Sandbox OU).
Under the Security OU is a centralized logging account. All the other accounts within the root OU will now be able to send logs to this single centralized account.
Sample Queries from ControlTower cloudtrail log group
Show All Exceptions from All Accounts
filter @message like /Exception/
Count All Exceptions from All Accounts in the last 3 days
filter @message like /Exception/ | stats count(*) as exceptionCount by bin(72h) | sort exceptionCount desc
Show All instances that were started and stopped in a particular region
filter (eventName="StartInstances" or eventName="StopInstances") and region="us-east-2"
Sample Queries from VPC Flow Logs log group
Show All VPC Flow Logs Packets (pick a different log group - the FlowLogsGroup)
stats sum(packets) as packetsTransferred by srcAddr, dstAddr | sort packetsTransferred desc | limit 15
Leave a Reply