The purpose is to create a tool to parse cloudwatch logs and get a mail report with all occurences that doesn't match with regexp given (like logcheck but for AWS EKS applications, considering that logs are stored in cloudwatch thanks to fluentd or fluentbit).
Actually, the program can connect to AWS API through SSO profile or get the default config (need to give permissions to the EC2 that will run the program).
The check is done every hour. If there are logs that do not fit with rules, you will get one or multiples emails depending on the size of the report.(Need a mailgun account or an SMTP server).
The configuration files has the below format :
rulesdir: "/opt/awslogcheck/rules-perso"
imagesToIgnore:
- fluent/fluentd-kubernetes-daemonset
- 602401143452.dkr.ecr.eu-west-3.amazonaws.com/eks/kube-proxy
- docker:stable
- docker:dind
containerNameToIgnore:
- aws-vpc-cni-init
- helper
- build
- svc-0
logGroup: /aws/containerinsights/dev-EKS/application
aws_region: eu-west-3
mailSubject: awslogcheck
mailTo:
mailFrom:
mailgun:
domain:
apikey:
smtp:
server:
port:
login:
password:
tls: true/false
imagesToIgnore and containerNameToIgnore are golang regexp expression, you can test with https://regex101.com/
The loggroup should be the loggroup created by fluentd/fluentbit deployment. awslogcheck won't be able to check another structure of events.
Check the deploy folder to launch in kubernetes.
Login into and specify the profile to use with option -p :
aws sso login --profile dev
awslogcheck -c cfg.yml -p dev
awslogcheck -g /aws/containerinsights/dev-EKS/application -c cfg.yml
Set the role below to get permissions from your EC2 to browse logs.
The program need permissions to consult cloudwatch.
Policy example :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:DescribeLogGroups"],
"Resource": "*"
}
]
}
Create with AWS cli :
$ aws iam create-policy --policy-name EksEc2PolicyCloudwatch --policy-document file://EksEc2PolicyCloudwatch.json --profile dev
Policy:
Arn: arn:aws:iam::.......................
AttachmentCount: 0
CreateDate: '.................'
DefaultVersionId: v1
IsAttachable: true
Path: /
PermissionsBoundaryUsageCount: 0
PolicyId: ..........................
PolicyName: EksEc2PolicyCloudwatch
UpdateDate: '.................'
You have manifests example in the deploy folder.
This tool uses the aws sdk golang v2. Here is the doc.
Most of API calls use cloudwatchlogs.
If you have error like (when using the SSO) :
ERROR: operation error STS: GetCallerIdentity, failed to sign request: failed to retrieve credentials: the SSO session has expired or is invalid: expected RFC3339 timestamp: parsing time "2021-11-18T15:55:16UTC" as "2006-01-02T15:04:05Z07:00": cannot parse "UTC" as "Z07:00"
exit status 1
This project is using :
- golang 1.17+
- task for development
- docker
- docker buildx
- docker manifest
- goreleaser
A little comment, there is no tests, the initial development has been done in quick and dirty mode. Maybe, this problem will be adressed in the future but it's a side project with very very low priority so don't expect a lot of features or improvements.
task
task image
task release
🟨 Maintenance Mode: This project is in maintenance mode.
While we are committed to keeping the project's dependencies up-to-date and secure, please note the following:
- New features are unlikely to be added
- Bug fixes will be addressed, but not necessarily promptly
- Security updates will be prioritized
We still encourage you to use our issue tracker for:
- 🐛 Reporting critical bugs
- 🔒 Reporting security vulnerabilities
- 🔍 Asking questions about the project
Please check existing issues before creating a new one to avoid duplicates.
🤝 Limited contributions are still welcome.
While we're not actively developing new features, we appreciate contributions that:
- Fix bugs
- Update dependencies
- Improve documentation
- Enhance performance or security
If you're interested in contributing, please read our CONTRIBUTING.md guide for more information on how to get started.
As this project is in maintenance mode, support may be limited. We appreciate your understanding and patience.
Thank you for your interest in our project!