Using a LogRhythm System Monitor, you can collect events and alarms from AWS CloudWatch. It needs a user account with access to the AWS API. With the credentials of the AWS IAM user created in the previous section, the cloudwatch.ini file is used to create a secure connection between the LogRhythm System Monitor and AWS CloudWatch.

Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications that run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, and set alarms. Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services.

Configure the cloudwatch.ini File

The cloudwatch.ini file contains many settings. The table below lists the cloudwatch.ini settings with the default values, the range of values when applicable, and a brief description of each value.

SettingRangeDefault ValueDescription
Region
CHANGE_THISThe Region ID for the specific CloudWatch region – for example, us-east-1. For more information, see CloudWatch Regions and Endpoints.
AccessKeyId
CHANGE_THISThe AWS Access Key ID (see the note below).
SecretAccessKey
CHANGE_THISThe AWS Secret Access Key (see the note below).

The Access Key ID and Secret Access Key must be encrypted using the lrcrypt command line utility located in the LogRhythm System Monitor installation directory. See LogRhythm Password Encryption for more information.

You must manually paste the encrypted values into the configuration file.

APIPollingIntervalInMs1000-600005000The AWS API polling interval, in milliseconds.
APIRetryCount0-53The AWI API retry count.
MaxResultCount1-5050The AWS API result count.
MaxResultCountLogs1-10001000

Specifies how many logs can be fetched from AWS CloudWatch API in a single request.

This setting applies to AWS CloudWatch logs. It does not apply to AWS CloudWatch alarms.

StartupDelayInSeconds
30If the API needs to be queried when the System Monitor is started, it will wait this amount of time before running.
CollectCloudWatchAlarms
trueThis line does not appear in the .ini file but these logs are collected automatically without add it. If you do not want to collect this data, add CollectCloudWatchAlarms=false to the .ini file.
CollectCloudWatchLogs
trueThis line does not appear in the .ini file but these logs are collected automatically without add it. If you do not want to collect this data, add CollectCloudWatchLogs=false to the .ini file.
CloudWatchLogGroupPrefix
*Specify which Log Groups you want to collect logs from. The default is all Log Groups.
Proxy Settings (Optional)
ProxyServerThe IP address or DNS name of a proxy server to use for connecting to AWS.
ProxyPortThe port to use on the proxy server.
UserNameThe user name to send if authentication is required on the proxy server.
PasswordThe password for the specified user name.
DomainThe domain to use for connecting to the proxy server.

Edit the cloudwatch.ini file with the appropriate credentials and information to create a secure connection between the LogRhythm System Monitor and AWS CloudWatch.

Before you begin these instructions, have the Access Key and the Secret Access Key. These keys are needed to configure the cloudwatch.ini file.

  1. Open Windows Explorer and go to the following directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config
  2. Open cloudwatch.ini with a text editor.
    Most of the configuration can be used as is. A few of the settings need to be changed so the LogRhythm Agent can access the CloudWatch instance to collect log files.
  3. For Region, replace CHANGE_THIS with the "Region" ID for the specific CloudWatch region — for example, us-east-1. For more information, see CloudWatch Regions and Endpoints.
  4. For AccessKeyId, replace CHANGE_THIS with the Access Key generated when you created the IAM user for this instance of CloudWatch — encrypt with lrcrypt before adding to the INI file.
  5. For SecretAccessKey, replace CHANGE_THIS with the Secret Access Key generated when you created the IAM user for this instance of CloudWatch — encrypt with lrcrypt before adding to the INI file.

    The AccessKeyId and SecretAccessKey values must be encrypted using the lrcrypt command line utility.

  6. Save and close the file.

    If you need to grant access to multiple users (Agents), you can create multiple cloudwatch.ini files and multiple CloudWatch log sources.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is API : AWS CloudWatch Alarm. In addition, when configuring this log source:

  • For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.