AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
為什麼整合 CloudWatch 代理程式不會將我的指標或日誌事件推送至 CloudWatch?
4 分的閱讀內容
0
我在我的 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體上設定了統一的 Amazon CloudWatch 代理程式,將指標和日誌發佈至 Amazon CloudWatch。但是,我無法在 CloudWatch 主控台中看到我的指標或日誌事件。
簡短描述
如果有連線問題或權限問題,整合 CloudWatch 代理程式可能不會將指標或日誌推送到 CloudWatch。當您查看整合 CloudWatch 代理程式日誌時,可能會看到下列其中一個錯誤:
- 代理程式日誌錯誤: 未連線到端點
- 代理程式日誌錯誤: 權限不足
解決方法
若要對整合 CloudWatch 代理程式進行疑難排解,請完成以下步驟:
**注意:**如果您在執行 AWS Command Line Interface (AWS CLI) 命令時收到錯誤訊息,請參閱對 AWS CLI 錯誤進行疑難排解。此外,請確定您使用的是最新的 AWS CLI 版本。
檢閱整合的 CloudWatch 代理程式日誌
透過代理程式日誌檔案,幫助您解決使用統一的 CloudWatch 代理程式套件時遇到的問題。
您可能會遇到下列其中一個問題:
- 您無法連線到所需的 AWS 服務端點或 Amazon Virtual Private Cloud (Amazon VPC) 端點。如需詳細資訊,請參閱使用 VPC 端點。
- 您沒有正確的權限,無法對 CloudWatch 進行支援 API 呼叫。如需詳細資訊,請參閱 CloudWatch API 作業和動作所需權限。
您可能會在以下日誌中看到這些錯誤之一。
代理程式日誌錯誤: 未連線到端點
2021-08-30T04:07:46Z E! cloudwatch: code: RequestError, message: send request failed, original error: Post "https://monitoring.us-east-1.amazonaws.com/": dial tcp 172.31.11.121:443: i/o timeout 2021-08-30T04:07:46Z W! 210 retries, going to sleep 1m0s before retrying. 2021-08-30T04:07:46Z E! cloudwatch: code: RequestError, message: send request failed, original error: Post "https://monitoring.us-east-1.amazonaws.com/": dial tcp 172.31.11.121:443: i/o timeout 2021-08-30T04:07:46Z W! 211 retries, going to sleep 1m0s before retrying.
代理程式日誌錯誤: 權限不足
2021-08-30T02:15:45Z E! cloudwatch: code: AccessDenied, message: User: arn:aws:sts::123456789012:assumed-role/cwagent/i-0744de7c842d2c2ba is not authorized to perform: cloudwatch:PutMetricData, original error: 2021-08-30T02:15:45Z W! 1 retries, going to sleep 400ms before retrying. 2021-08-30T02:15:46Z E! WriteToCloudWatch failure, err: AccessDenied: User: arn:aws:sts::123456789012:assumed-role/cwagent/i-0744de7c842d2c2ba is not authorized to perform: cloudwatch:PutMetricData status code: 403, request id: f1171fd0-05b6-4f7d-bac2-629c8594c46e
確認與 CloudWatch 端點的連線
當到 CloudWatch 的流量未經過公有網際網路時,您可以改用 Amazon VPC 端點。如果您使用的是 Amazon VPC 端點,請檢查以下參數:
- 如果您使用的是私有名稱伺服器,請確認 DNS 解析提供了準確的回應。
- 確認 CloudWatch 端點解析為私有 IP 位址。
- 確認與 Amazon VPC 端點關聯的安全群組允許來自主機的傳入流量。
若要確認與 CloudWatch 端點的連線,請完成下列步驟:
-
若要檢查與指標端點的連線,請執行以下命令:
$ telnet monitoring.us-east-1.amazonaws.com 443 Trying 52.46.138.115... Connected to monitoring.amazonaws.com. Escape character is '^]'. ^] telnet> quit Connection closed. -
若要檢查與日誌端點的連線,請執行以下命令:
$ telnet logs.us-east-1.amazonaws.com 443 Trying 3.236.94.218... Connected to logs.us-east-1.amazonaws.com. Escape character is '^]'. ^] telnet> quit Connection closed -
若要檢查 Amazon VPC 端點是否解析為私有 IP 位址,請執行以下命令:
$ dig monitoring.us-east-1.amazonaws.com +short172.31.11.121 172.31.0.13
檢閱整合的 CloudWatch 代理程式組態
CloudWatch 代理程式組態檔案會詳細說明發佈至 CloudWatch 的指標和日誌。檢閱代理程式組態檔案,確認其中包含要發佈的日誌和指標。
確認主機具有發佈指標和日誌的權限
AWS 受管政策 CloudWatchAgentServerPolicy 和 CloudWatchAgentAdminPolicy 可幫助您部署統一的 CloudWatch 代理程式。並檢查您是否擁有正確的權限。使用這些政策作為參考,確保您的主機擁有正確的權限。
這些範例中的 AWS CLI 輸出顯示權限不足。
以下 AWS CLI config 命令顯示缺少附加至 EC2 執行個體的 AWS Identity and Access Management (IAM) 角色:
$ /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c ssm:CWT-Web-Server -s ****** processing amazon-cloudwatch-agent ****** /opt/aws/amazon-cloudwatch-agent/bin/config-downloader --output-dir /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d --download-source ssm:CWT-Web-Server --mode ec2 --config /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml --multi-config default Region: us-east-1 credsConfig: map[] Error in retrieving parameter store content: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors Fail to fetch/remove json config: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors Fail to fetch the config!
以下 AWS CLI config 命令顯示 EC2 執行個體附加了不正確的 IAM 角色:
$ /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c ssm:CWT-Web-Server -s ****** processing amazon-cloudwatch-agent ****** /opt/aws/amazon-cloudwatch-agent/bin/config-downloader --output-dir /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d --download-source ssm:CWT-Web-Server --mode ec2 --config /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml --multi-config default Region: us-east-1 credsConfig: map[] Error in retrieving parameter store content: AccessDeniedException: User: arn:aws:sts::123456789012:assumed-role/cwagent/i-0744de7c842d2c2ba is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:123456789012:parameter/CWT-Web-Server status code: 400, request id: b85b0a7a-0fb1-47b4-924f-be8cf43a3b4d Fail to fetch/remove json config: AccessDeniedException: User: arn:aws:sts::123456789012:assumed-role/cwagent/i-0744de7c842d2c2ba is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:123456789012:parameter/CWT-Web-Server status code: 400, request id: b85b0a7a-0fb1-47b4-924f-be8cf43a3b4d Fail to fetch the config!
以下 get-caller-identity 命令會傳回與執行個體關聯的 IAM 使用者或角色:
$ aws sts get-caller-identity { "UserId": "AROA123456789012ABCDE:i-0744de7c842d2c2ba", "Account": "123456789012", "Arn": "arn:aws:sts::123456789012:assumed-role/CloudWatchAgentServerRole/i-0744de7c842d2c2ba" }
確認代理程式是否正確啟動
代理程式設計為使用 AWS CLI 啟動,並將組態檔案作為引數傳遞。若要啟動代理程式,請執行以下有效的啟動命令。
如果是 Linux,請執行以下命令:
- `$ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:configuration-file-path` - `$ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:configuration-parameter-store-name`
如果是 Windows,請執行以下命令:
- `& "C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1" -a fetch-config -m ec2 -s -c file:"C:\Program Files\Amazon\AmazonCloudWatchAgent\config.json"` - `& "C:\Program Files\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent-ctl.ps1" -a fetch-config -m ec2 -s -c ssm:configuration-parameter-store-name`
重要: 請勿從 Windows 控制面板啟動代理程式。
確認代理程式正在執行中
若要發佈指標和日誌,代理程式必須處於作用中狀態。若要確認 CloudWatch 代理程式是否處於作用中狀態,請執行下列命令:
$ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status { "status": "running", "starttime": "2021-08-30T02:13:44+00:00", "configstatus": "configured", "cwoc_status": "stopped", "cwoc_starttime": "", "cwoc_configstatus": "not configured", "version": "1.247349.0b251399" }
更新代理程式組態後,重新啟動代理程式
代理程式不會自動註冊對組態檔案的變更。如果更新代理程式組態以包含全新或不同的指標和日誌,則您必須使用以下命令重新啟動代理程式:
$ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a stop ****** processing cwagent-otel-collector ****** cwagent-otel-collector has already been stopped ****** processing amazon-cloudwatch-agent ****** Redirecting to /bin/systemctl stop amazon-cloudwatch-agent.service $ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:config.json ****** processing amazon-cloudwatch-agent ****** /opt/aws/amazon-cloudwatch-agent/bin/config-downloader --output-dir /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d --download-source file:config.json --mode ec2 --config /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml --multi-config default Successfully fetched the config and saved in /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/file_config.json.tmp Start configuration validation... /opt/aws/amazon-cloudwatch-agent/bin/config-translator --input /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json --input-dir /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d --output /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.toml --mode ec2 --config /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml --multi-config default 2021/08/31 02:45:37 Reading json config file path: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/file_config.json.tmp ... Valid Json input schema. I! Detecting run_as_user... Configuration validation first phase succeeded /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent -schematest -config /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.toml Configuration validation second phase succeeded Configuration validation succeeded amazon-cloudwatch-agent has already been stopped Redirecting to /bin/systemctl restart amazon-cloudwatch-agent.service $ sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status { "status": "running", "starttime": "2021-08-31T02:45:37+0000", "configstatus": "configured", "cwoc_status": "stopped", "cwoc_starttime": "", "cwoc_configstatus": "not configured", "version": "1.247349.0b251399" }
相關資訊
- 語言
- 中文 (繁體)
AWS 官方已更新 7 個月前
沒有評論
