Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] [AWS] Support getting cloudwatch logs from linked cross-account monitoring source accounts #36642

Closed
tommyers-elastic opened this issue Sep 21, 2023 · 5 comments · Fixed by #41206
Assignees
Labels
enhancement Team:Cloud-Monitoring Label for the Cloud Monitoring team

Comments

@tommyers-elastic
Copy link
Contributor

tommyers-elastic commented Sep 21, 2023

We should support cross-account log collection for Cloudwatch. We almost have this functionality today, but there is a small hurdle to overcome, as detailed below.

Cross-account logs are supported by the FilterLogEvents API (which we already use). However there is a caveat hidden away in the docs:

If the log group is in a source account and you are using a monitoring account, you must use the log group ARN.

If the log group name is used for log groups in linked source accounts, the request does not succeed. In our cloudwatch logs input, we utilize the log group name exclusively (even parsing the name from the ARN, if provided https://github.com/elastic/beats/blob/main/x-pack/filebeat/input/awscloudwatch/input.go#L72).

In order for cross-account monitoring to work for cloudwatch logs, we need to switch to using log group ARNs and
logGroupIdentifier in the API requests, instead of log group names (and logGroupName).

@tommyers-elastic tommyers-elastic added bug Team:Cloud-Monitoring Label for the Cloud Monitoring team labels Sep 21, 2023
@tommyers-elastic tommyers-elastic changed the title [Filebeat] [AWS] Unable to get cloudwatch logs from linked cross-account monitoring source accounts [Filebeat] [AWS] Support getting cloudwatch logs from linked cross-account monitoring source accounts Sep 21, 2023
@hesingon
Copy link

Can this be addressed soon?

@kaiyan-sheng kaiyan-sheng self-assigned this Sep 16, 2024
@kaiyan-sheng
Copy link
Contributor

kaiyan-sheng commented Oct 3, 2024

Hey @tommyers-elastic do you mind if we take over the PR and continue working on it?

@Kavindu-Dodan
Copy link
Contributor

Kavindu-Dodan commented Oct 7, 2024

I started looking into this. Note that, while logGroupIdentifier allows us to accept an ARN, it has a regex pattern restriction of [\w#+=/:,.@-]* [1]. This patterns doesn't allow suffix * (wildcard) that's present in for example aws logs describe-log-groups or cloudwatch UI.

However, once wildcard is removed, logGroupIdentifier works as expected.

[1] - https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html

@Kavindu-Dodan
Copy link
Contributor

Kavindu-Dodan commented Oct 10, 2024

Consider this thread [1]. DescribeLogGroups API [2] allows to configure includeLinkedAccounts property which is disabled by default. This means, when users use logGroupNamePrefix, we can still support including logs from linked accounts.

However, we must control this behaviour through a configuration so that existing users do not get impacted with extra logs. Hence, the property should be disabled by default. And should work in-combination with logGroupNamePrefix

Proposed property name - linked_accounts_for_prefix_mode

[1] - #41188 (comment)
[2] - https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogGroups.html

@nsshah1288
Copy link

nsshah1288 commented Oct 15, 2024

Thank you so much @Kavindu-Dodan @kaiyan-sheng and everyone else for working on this. Today, I was able to use the elastic agent to pull in logs from a separate AWS account!! For FYI in case it helps anyone else, I am not using CloudWatch cross-account observability. I exec'd into one of the elastic agent pods and created a credentials file located at ~/.aws/credentials, which looked like this:

[default]
role_arn = arn:aws:iam::<core-account-id>:role/elastic-agent-role
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
[profile my-profile]
source_profile = default
role_arn = arn:aws:iam::<target-account-id>:role/elastic-agent-role

where core-account-id is the central account where elastic is deployed and target-account-id is the account where there are CloudWatch logs I want to pull in.

I used IRSA and followed this AWS blog: https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/ , which ensured that the IAM roles have the necessary permissions and trust relationships.

Then, in the AWS CloudWatch integration page in Kibana, I told it to use my-profile, and the arn:aws:iam::<target-account-id>:role/elastic-agent-role as the Role ARN, and then the logs from target-account-id were pulled in to elastic!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment