简体繁体 English

AWS CloudWatch 记录到 ELK

[英]AWS CloudWatch Logs to ELK

原文 2019-11-23 17:32:42 9 1 amazon-web-services/ amazon-s3/ aws-lambda/ amazon-cloudwatch/ elk

I am planning to copy the AWS CloudWatch Logs to ELK and want to use Kibana Dashboard to visualise the logs.我计划将 AWS CloudWatch 日志复制到 ELK 并希望使用 Kibana 仪表板来可视化日志。

One option is to stream the logs from CloudWatch to ELK.一种选择是将日志从 CloudWatch 流式传输到 ELK。

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_ES_Stream.html https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_ES_Stream.html

But I feel this will involve execution of Lambda functions extensively and it might not be a cost effective option.但我觉得这将涉及广泛执行 Lambda 函数，它可能不是一个具有成本效益的选择。

Is there any other cost effective way to copy logs from CloudWatch to maybe S3 and then to ELK?有没有其他经济有效的方法可以将日志从 CloudWatch 复制到 S3，然后再复制到 ELK？

I am Ok, if the logs are not realtime, maybe a delay of 15 mins or maybe one hour is OK.我很好，如果日志不是实时的，可能延迟 15 分钟或一小时就可以了。

But I am looking for a cost effective solution.但我正在寻找一种具有成本效益的解决方案。

Btw, what is the best way to purge the CloudWatch logs periodically?顺便说一句，定期清除 CloudWatch 日志的最佳方法是什么？ ( maybe after one week) （也许一周后）

1 个解决方案

Firstly, you can set the retention policy for your cloudwatch logs.首先，您可以为您的 cloudwatch 日志设置保留策略。 By default it's indefinite, but you can set it to say like 7 days as you mentioned.默认情况下它是无限期的，但您可以将其设置为您提到的 7 天。

Secondly, according to me lambda would be a cost effective option to ingest the logs to your elasticsearch domain.其次，根据我的说法，lambda 将是将日志摄取到您的弹性搜索域的一种具有成本效益的选择。

Other option, l can think as below:其他选项，我可以考虑如下：

ec2 instance with log stash reading the logs from cloudwatch and ingesting it to elasticsearch.带有日志存储的 ec2 实例从 cloudwatch 读取日志并将其摄取到 elasticsearch。
probably you can extend above with aws batch也许您可以使用 aws 批处理进行扩展

My answer is not exactly the answer to your case, it's an attempt to solve this problem from another angle. 我的答案并不完全是您的情况的答案，而是尝试从另一个角度解决这个问题。
It will be actual for you, if you own logs generation. 如果您拥有日志生成功能，那对您来说将是实际的。

Copying logs from one source to another assumes more or less the same solution. 将日志从一个源复制到另一个源或多或少都采用相同的解决方案。 But the whole idea makes me curious if you need CloudWatch at all (ie logs are handled by Elastic stack in the end). 但是整个想法让我感到好奇，如果您根本不需要CloudWatch（即日志最终由Elastic stack处理）。
In this case we don't need CloudWatch and your apps can send logs directly to Elastic stack (via Logstash) you have. 在这种情况下，我们不需要CloudWatch，您的应用程序可以将日志直接发送到您拥有的Elastic Stack（通过Logstash）。
We need just to replace CloudWatch with Logstash in your logging configuration in apps. 我们只需要在应用程序的日志记录配置中将CloudWatch替换为Logstash。 Some AWS services may not support it of course. 当然，某些AWS服务可能不支持它。

EC2 spot instance will be the cheapest option. EC2竞价型实例将是最便宜的选择。
If you have few log entries (very unusual case), lambda will be cheaper. 如果您的日志条目很少（非常不常见的情况），那么lambda会便宜一些。 But this situation happens only in the beginning, there are usually tons of logs and using lambda for this would be costly :-) 但是这种情况仅在开始时才会发生，通常会有大量的原木，为此使用lambda会很昂贵:-)

EC2 spot instance can be interrupted any time but it's fine for us. EC2竞价型实例可以随时中断，但对我们来说很好。 Because we don't need realtime synchronization of logs. 因为我们不需要日志的实时同步。

You can play with EC2 Saving Plan costs, if you're going to support logs synchronization for 1 year or more. 如果您要支持1年或更长时间的日志同步，则可以使用EC2节省计划成本。