We are using Kubernetes to deploy our application docker images.
We would like to be able to take the application logs and push it to cloudwatch.
The application logs are generated using log4j or log4js depending on what language the microservice was built.
What is the right way to do this?
This question sounds similar with How to Send Kubernetes Logs to AWS CloudWatch?. Kubernetes does not support the custom log-driver like docker supports. You could use fluentd to send the logs to cloudwatch.
Build containers with the Cloudwatch Agent installed; to do this you will need a Dockerfile. Amazon even has docs specifically for this.
You will need to make sure your base container is either Debian or RHEL based (Amazon docs seem to only support these types of distros with the agent); for example, Debian based systems will have the agent installed with:
curl https://s3.amazonaws.com//aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -OSo, you will need to execute the above when you build the container.
Details for installation are here.
You mentioned IAM policy concerns; Amazons example policy is below; you will need to make sure that your containers have access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::myawsbucket/*"
]
}
]
}
Someone on GitHub has done this already:
FROM ubuntu:latest
MAINTAINER Ryuta Otaki <otaki.ryuta@classmethod.jp>, Sergey Zhukov <sergey@jetbrains.com>
...
RUN apt-get install -q -y python python-pip wget
RUN cd / ; wget https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.pyI highly suggest you follow their lead; use Ubuntu and follow the docs. Don't re-invent the wheel.