Skip to content
This repository has been archived by the owner on Jun 15, 2023. It is now read-only.

Commit

Permalink
Updated the documentation.
Browse files Browse the repository at this point in the history
  • Loading branch information
Michael Khmelnitsky committed Jul 31, 2018
1 parent 1288315 commit 43e4433
Show file tree
Hide file tree
Showing 7 changed files with 123 additions and 5 deletions.
109 changes: 109 additions & 0 deletions doc_source/amazon-mq-configuring-cloudwatch-logs.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# Configuring Amazon MQ to Publish General and Audit Logs to Amazon CloudWatch Logs<a name="amazon-mq-configuring-cloudwatch-logs"></a>

Amazon MQ is integrated with Amazon CloudWatch Logs, a service that monitors, stores, and accesses your log files from a variety of sources\. For example, you can [configure CloudWatch alarms](http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/AlarmThatSendsEmail.html) to receive notifications of [broker reboots](http://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker-reboot.html) or troubleshoot [broker configuration](amazon-mq-broker-configuration-parameters.md) errors\. For more information about CloudWatch Logs, see the *[Amazon CloudWatch Logs User Guide](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/)*\.

To allow Amazon MQ to publish logs to CloudWatch Logs, you must [add a permission to your Amazon MQ user](#add-createloggroup-permission-to-user) and also [configure a resource\-based policy for Amazon MQ](#configure-resource-based-policy) before you create or restart the broker\.

For more information about configuring Amazon MQ to publish general and audit logs to CloudWatch Logs, see [Configure Advanced Broker Settings](amazon-mq-creating-configuring-broker.md#configure-advanced-broker-settings-console)\.

**Topics**
+ [Structure of Logging in CloudWatch Logs](#structure-of-logging-cloudwatch-logs)
+ [Add the CreateLogGroup Permission to Your Amazon MQ User](#add-createloggroup-permission-to-user)
+ [Configure a Resource\-Based Policy for Amazon MQ](#configure-resource-based-policy)

## Structure of Logging in CloudWatch Logs<a name="structure-of-logging-cloudwatch-logs"></a>

You can enable *general* and *audit* logging when you [configure advanced broker settings](amazon-mq-creating-configuring-broker.md#configure-advanced-broker-settings-console) when you create a broker, or when you edit a broker\.

![\[Image NOT FOUND\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/images/amazon-mq-tutorials-enable-cloudwatch-logs-edit-broker.png)

General logging enables the default `INFO` logging level \(`DEBUG` logging isn't supported\) and publishes `activemq.log` to a log group in your CloudWatch account\. The log group has a format similar to the following:

```
/aws/amazonmq/broker/b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9/general
```

[Audit logging](http://activemq.apache.org/audit-logging.html) enables logging of management actions taken using JMX or using the ActiveMQ Web Console and publishes `audit.log` to a log group iin your CloudWatch account\. The log group has a format similar to the following:

```
/aws/amazonmq/broker/b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9/audit
```

Depending on whether you have a [single\-instance broker](single-broker-deployment.md) or an [active/standby broker for high availability](active-standby-broker-deployment.md), Amazon MQ creates either one or two log streams within each log group\. The log streams have a format similar to the following\.

```
activemq-b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9-1.log
activemq-b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9-2.log
```

The `-1` and `-2` suffixes denote individual broker instances\. For more information, see [Working with Log Groups and Log Streams]() in the *[Amazon CloudWatch Logs User Guide](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/)*\.

## Add the CreateLogGroup Permission to Your Amazon MQ User<a name="add-createloggroup-permission-to-user"></a>

To allow Amazon MQ to create a CloudWatch Logs log group, you must ensure that the user who creates or reboots the broker has the `logs:CreateLogGroup` permission\.

**Important**
If you don't add the `CreateLogGroup` permission to your Amazon MQ user before the user creates or reboots the broker, Amazon MQ doesn't create the log group\.

The following example [IAM\-based policy](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#identity-based-policies-cwl) grants permission for `logs:CreateLogGroup` to user 111122223333\.

```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
}
]
}
```

For more information, see `[CreateLogGroup](http://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogGroup.html)` in the *Amazon CloudWatch Logs API Reference*\.

## Configure a Resource\-Based Policy for Amazon MQ<a name="configure-resource-based-policy"></a>

To allow Amazon MQ to publish logs to your CloudWatch Logs log group, configure a resource\-based policy to give Amazon MQ access to the following CloudWatch Logs API actions:
+ `[CreateLogStream](http://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogStream.html)` – Creates a CloudWatch Logs log stream for the specified log group\.
+ `[PutLogEvents](http://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html)` – Delivers events to the specified CloudWatch Logs log stream\.

**Important**
If you don't configure a resource\-based policy for Amazon MQ, the broker can't post the logs\.

The following example [resource\-based policy](http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#resource-based-policies-cwl) grants permission for `logs:CreateLogStream` and `logs:PutLogEvents` to AWS\.

```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "mq.amazonaws.com"
},
"Action":[
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
}
]
}
```

**Note**
Because this example uses the `/aws/amazonmq/` prefix, you need to configure the resource\-based policy only once per AWS account, per region\.

You can achieve the same effect using the following AWS CLI command:

```
aws --region us-east-1 logs put-resource-policy --policy-name AmazonMQ-logs \
--policy-document '{ "Version": "2012-10-17", "Statement": [ {
"Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" },
"Action":[ "logs:CreateLogStream", "logs:PutLogEvents" ],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'
```
7 changes: 6 additions & 1 deletion doc_source/amazon-mq-creating-configuring-broker.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ The first and most common Amazon MQ task is creating a broker\. The following ex

**Topics**
+ [Step 1: Configure basic broker settings](#configure-basic-broker-settings-console)
+ [Step 2: \(Optional\) Configure advanced broker settings](#configure-advanced-broker-settings-console)
+ [Configure advanced broker settings](#configure-advanced-broker-settings-console)
+ [Step 3: Finish creating the broker](#finish-creating-broker-console)

## Step 1: Configure basic broker settings<a name="configure-basic-broker-settings-console"></a>
Expand Down Expand Up @@ -39,6 +39,11 @@ Currently, Amazon MQ supports only the `ActiveMQ` broker engine, version `5.15.0

1. In the **Configuration** section, choose **Create a new configuration with default values** or **Select an existing configuration**\. For more information, see [Configuration](configuration.md) and [Amazon MQ Broker Configuration Parameters](amazon-mq-broker-configuration-parameters.md)\.

1. In the **Logs** section, choose whether to publish **General** logs and **Audit** logs to Amazon CloudWatch Logs\. For more information, see [Configuring Amazon MQ to Publish General and Audit Logs to Amazon CloudWatch Logs](amazon-mq-configuring-cloudwatch-logs.md)\.
**Important**
To allow Amazon MQ to publish logs to CloudWatch Logs, you must [add a permission to your Amazon MQ user](amazon-mq-configuring-cloudwatch-logs.md#add-createloggroup-permission-to-user) and also [configure a resource\-based policy for Amazon MQ](amazon-mq-configuring-cloudwatch-logs.md#configure-resource-based-policy) before you create or restart the broker\.
![\[Image NOT FOUND\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/images/amazon-mq-tutorials-enable-cloudwatch-logs.png)

1. In the **Network and security section**, configure your broker's connectivity:

1. Select the default **Virtual Private Cloud \(VPC\)** or create a new one on the Amazon VPC console\. For more information, see [What is Amazon VPC?](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html) in the *Amazon VPC User Guide*\.
Expand Down
1 change: 1 addition & 0 deletions doc_source/amazon-mq-documentation-history.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The following table lists changes to the *Amazon MQ Developer Guide*\. For Amazo

| Date | Documentation Update |
| --- | --- |
| July 30, 2018 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-documentation-history.html) |
| July 19, 2018 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-documentation-history.html) |
| July 5, 2018 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-documentation-history.html) |
| June 29, 2018 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-documentation-history.html) |
Expand Down
2 changes: 1 addition & 1 deletion doc_source/amazon-mq-logging-cloudtrail.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Amazon MQ is integrated with AWS CloudTrail, a service that provides a record of the Amazon MQ calls that a user, role, or AWS service makes\. CloudTrail captures API calls related to Amazon MQ brokers and configurations as events, including calls from the Amazon MQ console and code calls from Amazon MQ APIs\. For more information about CloudTrail, see the *[AWS CloudTrail User Guide](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/)*\.

**Note**
CloudTrail doesn't log API calls related to ActiveMQ operations \(for example, sending and receiving messages\) or to the ActiveMQ Web Console\.
CloudTrail doesn't log API calls related to ActiveMQ operations \(for example, sending and receiving messages\) or to the ActiveMQ Web Console\. To log information related to ActiveMQ operations, you can [configure Amazon MQ to publish general and audit logs to Amazon CloudWatch Logs](amazon-mq-configuring-cloudwatch-logs.md)\.

Using the information that CloudTrail collects, you can identify a specific request to an Amazon MQ API, the IP address of the requester, the requester's identity, the date and time of the request, and so on\. If you configure a *trail*, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket\. If you don't configure a trail, you can view the most recent events in the event history in the CloudTrail console\. For more information, see [Overview for Creating a Trail](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) in the *[AWS CloudTrail User Guide](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/)*\.

Expand Down
5 changes: 3 additions & 2 deletions doc_source/amazon-mq-monitoring-logging.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# Monitoring and Logging Amazon MQ<a name="amazon-mq-monitoring-logging"></a>
# Monitoring and Logging Amazon MQ Brokers<a name="amazon-mq-monitoring-logging"></a>

This section provides information about monitoring and logging Amazon MQ broker activity\.

**Topics**
+ [Monitoring Amazon MQ Using CloudWatch](amazon-mq-monitoring-cloudwatch.md)
+ [Logging Amazon MQ API Calls Using CloudTrail](amazon-mq-logging-cloudtrail.md)
+ [Logging Amazon MQ API Calls Using CloudTrail](amazon-mq-logging-cloudtrail.md)
+ [Configuring Amazon MQ to Publish Logs to Amazon CloudWatch Logs](amazon-mq-configuring-cloudwatch-logs.md)
1 change: 1 addition & 0 deletions doc_source/amazon-mq-release-notes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The following table lists Amazon MQ feature releases and improvements\. For chan

| Date | Feature Release |
| --- | --- |
| July 30, 2018 | You can configure Amazon MQ to publish general and audit logs to Amazon CloudWatch Logs\. For more information, see [Configuring Amazon MQ to Publish General and Audit Logs to Amazon CloudWatch Logs](amazon-mq-configuring-cloudwatch-logs.md)\. |
| July 25, 2018 | Amazon MQ is available in the Asia Pacific \(Tokyo\) and Asia Pacific \(Seoul\) Regions in addition to the following regions:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-release-notes.html) |
| July 19, 2018 | You can use AWS CloudTrail to log Amazon MQ API calls\. For more information, see [Logging Amazon MQ API Calls Using AWS CloudTrail](amazon-mq-logging-cloudtrail.md)\. |
| June 29, 2018 | In addition to mq\.t2\.micro and mq\.m4\.large, the following broker instance types are available for regular development, testing, and production workloads that require high throughput: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-release-notes.html)For more information, see [Instance Types](broker.md#broker-instance-types)\. |
Expand Down
3 changes: 2 additions & 1 deletion doc_source/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,10 @@ Amazon's trademarks and trade dress may not be used in
+ [Connecting to Amazon MQ](connecting-to-amazon-mq.md)
+ [Ensuring Effective Amazon MQ Performance](ensuring-effective-amazon-mq-performance.md)
+ [Limits in Amazon MQ](amazon-mq-limits.md)
+ [Monitoring and Logging Amazon MQ](amazon-mq-monitoring-logging.md)
+ [Monitoring and Logging Amazon MQ Brokers](amazon-mq-monitoring-logging.md)
+ [Monitoring Amazon MQ Brokers Using Amazon CloudWatch](amazon-mq-monitoring-cloudwatch.md)
+ [Logging Amazon MQ API Calls Using AWS CloudTrail](amazon-mq-logging-cloudtrail.md)
+ [Configuring Amazon MQ to Publish General and Audit Logs to Amazon CloudWatch Logs](amazon-mq-configuring-cloudwatch-logs.md)
+ [Amazon MQ Security](amazon-mq-security.md)
+ [API Authentication and Authorization for Amazon MQ](amazon-mq-api-authentication-authorization.md)
+ [Messaging Authentication and Authorization for ActiveMQ](activemq-authentication-authorization.md)
Expand Down

0 comments on commit 43e4433

Please sign in to comment.