Set up AWS log forwarding

AWS log forwarding allows you to stream logs from AWS CloudWatch into Dynatrace logs via an existing ActiveGate.

See below for how you can deploy and configure the necessary AWS infrastructure between AWS CloudWatch and Dynatrace (Firehose, Lambda, Log Group Subscription Filters).

Prerequisites

  • Dynatrace version 1.217+

  • ActiveGate version 1.217+

  • Dynatrace Log Monitoring v2. To enable Dynatrace Log Monitoring v2, contact a Dynatrace ONE product specialist by selecting the chat button in the upper-right corner of the Dynatrace menu bar.

  • Enable generic log ingestion

  • Create an API token and enable the Ingest logs permission.

  • Determine the API URL for your environment:

    • https://<your_activegate_IP_or_hostname>:9999/e/<your_environment_ID> To determine <your_environment_ID>, see environment ID.
      Note: Currently only an ActiveGate endpoint is supported.
  • You can run deployment from AWS CloudShell or from any machine with AWS CLI installed that supports Bash script execution. The user or role that you use for running the deployment script needs to have the following permissions:

Note: The deployment script uses the default AWS CLI profile configuration. Alternatives:

Deploy

To deploy AWS log forwarding

  1. Set the following environment variables in your environment.

Note: TARGET_URL and TARGET_API_TOKEN are required environment variables, and you need to replace the placeholders with your own values, while changing REQUIRE_VALID_CERTIFICATE is optional. See Deploy table for details.

TARGET_URL=<your_API_URL>
TARGET_API_TOKEN=<your_API_token>
REQUIRE_VALID_CERTIFICATE=false
  1. Download the script and deploy the infrastructure.
wget -O dynatrace-aws-log-forwarder.zip https://github.com/dynatrace-oss/dynatrace-aws-log-forwarder/releases/latest/download/dynatrace-aws-log-forwarder.zip && unzip -qo dynatrace-aws-log-forwarder.zip && ./dynatrace-aws-logs.sh deploy --target-url $TARGET_URL --target-api-token $TARGET_API_TOKEN --require-valid-certificate $REQUIRE_VALID_CERTIFICATE
Deployment usage and options

For additional deployment options, see the command below.
Note: --target-url and --target-api-token are required parameters, and you need to replace the placeholders with your own values, while --require-valid-certificate and --stack-name are optional. See Deploy table for details.

dynatrace-aws-logs.sh deploy --target-url <your_API_URL> --target-api-token <your_API_token> [--require-valid-certificate {true|false}] [--stack-name <your_stack_name>]

Deploy table

Command-line parameter Environment variable Description Default value
--target-url TARGET_URL required The API URL to your Dynatrace SaaS environment logs ingest target.
See Prerequisites for instructions.
--target-api-token TARGET_API_TOKEN required Your API token. See Prerequisites for instructions.
--require-valid-certificate REQUIRE_VALID_CERTIFICATE optional If set to true, Dynatrace verifies the SSL certificate of your Dynatrace environment URL. false
--stack-name STACK_NAME optional The name of the CloudFormation stack where you want to deploy the resources. dynatrace-aws-logs

Subscribe to log groups

After deploying the infrastructure, you need to subscribe to the log groups you are interested in to forward logs to Dynatrace.

To subscribe to log groups, you have the options described below.

Subscribe by listing log group names

Usage recommendation: Use this option if the number of log groups you'd like to subscribe to is small.

To subscribe: Run the command below, making sure to replace <your_log_group_list> with a space-separated list of the log group names you want to subscribe to.

Example list: /aws/lambda/my-lambda /aws/apigateway/my-api

dynatrace-aws-logs.sh subscribe --log-groups <your_log_group_list>

Subscribe by reading log groups from file

Usage recommendation: Use this option if the number of log groups you'd like to subscribe to is large.

To subscribe

  1. Create a file and enter each log group name on a separate line.
  2. Save the file.
  3. Run the command below, making sure to replace <your_file_name> with the actual file name.
    ./dynatrace-aws-logs.sh subscribe --log-groups-from-file <your_file_name>
    
Log groups auto-discovery

To simplify file creation, you can use the auto-discovery command below to list the names of all log groups in your account. You can adjust the list manually before subscribing.
Note: Be sure to replace <your_log_groups_file> with the name of the file to which you want to redirect the output.

./dynatrace-aws-logs.sh discover-log-groups > <your_log_groups_file>

Subscribe by using a subscription filter pattern

Usage recommendation: By default, you subscribe to all the logs in the log group. Use this option if you want to restrict the logs you subscribe to. See Filter and Pattern Syntax for details on the pattern syntax.

Limitation: You can use only two subscription filters per log group, so the possibility of creating multiple filters with different patterns is limited. If you create a subscription filter that exceeds the limit, an AWS LimitExceededException occurs.

To subscribe: Run the command below, making sure to replace <your_log_group_list> and <your_filter_pattern> with your own values.

./dynatrace-aws-logs.sh subscribe --log-groups <your_log_group_list> --filter-pattern <your_filter_pattern>
Subscription usage and options

For additional subscription options, see the commands below.
Note: Consult the Subscription table for the commands below when replacing placeholders (<...>) with your own values.

dynatrace-aws-logs.sh subscribe {--log-groups <your_log_group_list> | --log-groups-from-file <your_file_name>}
                    [--stack-name <your_stack_name>] [--filter-pattern <your_filter_pattern>] [--role-arn ROLE_ARN] [--firehose-arn FIREHOSE_ARN]

Subscription table

Command-line parameter Environment variable Description Default value
--log-groups LOG_GROUPS_LIST A space-separated list of log group names you want to subscribe to. For example:
/aws/lambda/my-lambda /aws/apigateway/my-api.
--log-groups-from-file LOG_GROUPS_FILE A file listing the log groups you want to subscribe to. The file should contain each log group name on a separate line.
--filter-pattern FILTER_PATTERN If set, it allows you to subscribe to a filtered stream of logs. You subscribe to all logs in the log group.
--stack-name STACK_NAME The name of the CloudFormation stack where you have deployed the resources. dynatrace-aws-logs
--firehose-arn FIREHOSE_ARN Specify to which AWS Kinesis Data Firehose the logs should be streamed by providing its ARN (Amazon Resource Name).
Usage recommendation: Set this option if you have permission or performance issues with CloudFormation.
It will be extracted from the output of the CloudFormation stack used in the deploy step: either the $DEFAULT_STACK_NAME default value or the one specified with the --stack-name <your_stack_name> option.
--role-arn ROLE_ARN The ARN of an IAM role that grants CloudWatch Logs permission to deliver ingested log events to the destination stream.
Usage recommendation: Set this option if you have permission or performance issues with CloudFormation.
It will be extracted from the output of the CloudFormation stack used in the deploy step: either the $DEFAULT_STACK_NAME default value or the one specified with the --stack-name <your_stack_name> option.

Unsubscribe from log groups

If you don't want to forward logs to Dynatrace anymore, use one of the two options below to unsubscribe from log groups.

Unsubscribe by listing the log group names

Run the command below, making sure to replace <your_log_group_list> with a space-separated list of the log group names you want to unsubscribe from.

./dynatrace-aws-logs.sh unsubscribe --log-groups <your_log_group_list>

Unsubscribe by reading log groups from a file

Run the command below, making sure to replace <your_file_name> with the file name you created to subscribe by reading log groups from file.

./dynatrace-aws-logs.sh unsubscribe --log-groups-from-file <your_file_name>
Unsubscribe usage and options

For additional unsubscribe options, see the commands below.

Note: Consult the Unsubscribe table for the commands below when replacing the placeholders (<...>) with your own values.

dynatrace-aws-logs.sh unsubscribe {--log-groups <your_log_group_list> | --log-groups-from-file <your_file_name>} [--stack-name <your_stack_name>]

Unsubscribe table

Command-line parameter Environment variable Description Default value
--log-groups LOG_GROUPS_LIST A space-separated list of log group names you want to unsubscribe from. For example:
/aws/lambda/my-lambda /aws/apigateway/my-api.
--log-groups-from-file LOG_GROUPS_FILE A file listing log groups you want to unsubscribe from, with each log group name on a separate line.
--stack-name STACK_NAME The name of the CloudFormation stack where you have deployed the resources. dynatrace-aws-logs