How to log EC2 operations on AWS?

Question

We are operating a large amount of instances and ELB on AWS. Recently we experienced strange behaviors. We don't know whether our boto scripts are responsible or AWS has malfunction. It might also be a human mistake.

We are not able to know who did what on EC2 instances, that's an issue.

This implies :

• EC2 instance creation/termination
• EC2 instance start/stop/reboot
• Register/Deregister EC2 instance from ELB

Is there a way to start logging EC2 operations in AWS ?

Alternatively, are EC2 events sent on SQS or SNS ? So that we can listen to events rather than reading logs ?

Answer 1

CloudTrail is the ticket, but once you've got millions of events, it's not practical to view results on the CloudTrail UI.

In that case you can pipe the output to something like Kibana/Logstash, or sync and grep it.

Answer 2

Yes, As @Thomas said, you can use the cloudTrail to log all the events happening on the AWS account. Basically CloudTrail logs all the AWS API calls in JSON format whether it's your application or user doing it using console. It list the ARN as well so will be able to track who particularly run the command. The logs can be viewed in console or using API as well. For console, AWS has just launched some filters as well. The only thing needs to be done is enable the CloudTrail for the region you want to monitor. Though it's recommended to have the good IAM policies to avoid such disaster.

Can set up cloudwatch logs on the cloudtrail to take action if particular event happens.

Below are the links that might help you. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_started_top_level.html http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cw_send_ct_events.html

Answer 3

The CloudTrail service is the place to start. Here is a link to documentation: Logging Amazon EC2 API Calls Using AWS CloudTrail