Add logs from AWS

You can use SolarWinds Observability to monitor logs from your Amazon AWS cloud.

To configure logs, you need a Lambda function for your AWS account. You can create this manually or using the Add AWS Host wizard. Add triggers for the log groups to be ingested in SolarWinds Observability.

Create the Lambda function once per AWS Cloud account, either manually or using the wizard. To monitor other aspects of your AWS infrastructure, add triggers for multiple log groups.

Configure the Lambda function

The Lambda function you configure is available only in the selected AWS region

1. Copy or create an API token (Ingestion type), found in the settings area of SolarWinds Observability. You will need it later. See API Tokens for details.

2. Log in to the AWS Console and open the AWS Lambda console.

3. Create a new function using the public SolarWinds-Observability-Logs application available in the AWS Serverless Application Repository. See How to Deploy Applications for information about deploying serverless applications.

4. Configure the application with the following settings:

   • Paste the ingestion token you copied in step 1.

   • Enter an OTLP endpoint parameter or use the default value. The OTLP endpoint will change depending on the URL used to access SolarWinds Observability. See Data centers and endpoint URIs to determine your organization's endpoint.

5. Deploy the application to your AWS account.

6. Add the triggers for log groups to be monitored.

Update the Lambda function configuration

Follow the steps below to update your Lambda function configuration.

The instructions are valid for Lambda functions configured before April 6, 2024.

1. Construct the URL using the below string template, replacing 111222333444 with your cloud account ID.

   https://s3.amazonaws.com/awsserverlessrepo-changesets-plntc6bfnfj/111222333444/arn:aws:serverlessrepo:us-east-1:851060098468:applications-SolarWinds-Observability-Logs-versions-0.0.11/13fa5840-b2eb-459f-8541-8761e678b081

   To obtain the account ID, log in to the AWS Console, click the account name in the top right corner, and click Account in the drop down. The account ID is available under Account settings.

2. In the AWS Console, open the AWS Lambda page, and click the function you want to update.

3. In Code source, click Upload from, select Amazon S3 location, and enter the URL constructed in step 1.

4. Scroll down to Runtime settings and click Edit.

5. In Runtime, select Amazon Linux 2023. In Handler, select bootstrap.

6. Save changes.

7. Verify Lambda logs.

Add triggers for log groups to be monitored with SolarWinds Observability

For each log group that you want to monitor, configure the log events in a log group to trigger the Lambda function. If you are using EKS or Cloudtrail, send the logs and traced events to CloudWatch first, then set up your trigger.

After you complete the configuration, the AWS logs can be seen in the Logs Explorer.

Capture traced events

Traced events and logs from Amazon services, such as EKS and CloudTrail, can be sent to a log group in CloudWatch Logs. Once the logs are configured to go to CloudWatch Logs, a trigger can be used to send the CloudWatch logs to SolarWinds Observability.

Capture CloudTrail events

If you want to capture traced events from CloudTrail service and send them to SolarWinds Observability using CloudWatch log events, configure the CloudTrail events capture.

1. In your AWS account, navigate to CloudTrail > Dashboard.

2. Create a trail and specify required parameters for a new trail, or navigate to an existing trail.

3. Under CloudWatch Logs, click the Enabled box and specify the target log group and access role.

Capture EKS logs

To make EKS logs available to CloudWatch and send them to SolarWinds Observability, see Logging for Amazon EKS - AWS Prescriptive Guidance in the Amazon AWS documentation.

After setting up, the following log groups will be available:

• /aws/containerinsights/<CLUSTER_NAME>/performance
• /aws/eks/<CLUSTER_NAME>/cluster
• /aws/containerinsights/<CLUSTER_NAME>/application
• /aws/containerinsights/<CLUSTER_NAME>/host
• /aws/containerinsights/<CLUSTER_NAME>/dataplane

Configure log events to trigger the Lambda function

Configure log events that will trigger the Lambda function. With the newly created Lambda function open do the following:

1. Click Add trigger.

2. Select CloudWatch Logs in the drop-down menu.

3. Either select the log group that serves as the event source or define a filter pattern.

4. Add more triggers, if appropriate.

(Optional) Secure the API token and OTLP endpoint parameters

To prevent the API token from being viewed in the Lambda web console, encrypt the token.

1. In the Lambda web console, navigate to SendLogsFunction in the Functions section.

2. Click the Configuration tab, and click Edit in the Environment variables section.

3. Click Enable helpers for encryption in transit and click Encrypt for the API_TOKEN environment variable. The Encryption in transit window opens.

4. Select your AWS KMS key, copy the text from the Execution role policy, and click Encrypt.

5. Repeat this operation for the OTLP_ENDPOINT environment variable.

6. Set the USE_ENCRYPTION environment variable to yes and click Save.

7. Navigate to the SendLogsFunction execution role in the IAM web console. This can be found in Configuration > Permissions > Execution role.

8. In the Permissions tab, choose Add permissions > Create inline policy.

9. In the Create policy window, activate the JSON tab and paste the execution policy previously copied from the Environment variable encryption dialog.

10. Click Review policy, specify the policy name, and click Create policy.

11. Navigate to the SendLogsFunction page and go to the Test tab.

12. Select CloudWatch Logs from the drop-down and click Test to verify that encrypted parameters can be accessed by the function.

Remove the Lambda function

If the Lambda function was created by the Add AWS Cloud Account wizard, the function will be removed when you remove the AWS cloud account integration.

If you added the Lambda function manually and do not want to monitor the AWS cloud account anymore, remove the send-logs-app stack. Calling the function consumes resources and is subject to charge.

To remove the send-logs-app stack:

1. Log in to your AWS Console.
2. Navigate to CloudFormation > Stacks page
3. Find the send-logs-app stack, click Delete.

The application stack and Lambda function associated with it will be removed from the account.