diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-metrics-dashboard.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-metrics-dashboard.png
index 12e53c3484..5eadc1adcf 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-metrics-dashboard.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-metrics-dashboard.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-permmissions-access-key.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-permmissions-access-key.png
deleted file mode 100644
index c26ee2d3b6..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/add-permmissions-access-key.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-cloudwatch-default.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-cloudwatch-default.png
deleted file mode 100644
index 71d092b0c7..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-cloudwatch-default.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-cloudwatch.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-cloudwatch.png
deleted file mode 100644
index b716fe0863..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-cloudwatch.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-env.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-env.png
deleted file mode 100644
index 986796abc8..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-env.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-sample.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-sample.png
deleted file mode 100644
index 27230d6d65..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-access-keys-sample.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-get-region.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-get-region.png
index e0612e4f49..d1b2207e91 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-get-region.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/aws-get-region.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard-custom-logger.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard-custom-logger.png
index 00f49d6bae..6af23cc5fb 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard-custom-logger.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard-custom-logger.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard.png
index c36b918428..fccd421987 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-dashboard.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-apikey.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-apikey.png
deleted file mode 100644
index e9f5c07572..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-apikey.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-applications-id.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-applications-id.png
index 3d35569776..b65b127afe 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-applications-id.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/cloudwatch-fusionauth-applications-id.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/connected-ec2.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/connected-ec2.png
deleted file mode 100644
index 11a0bbdfc4..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/connected-ec2.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-api-key-fusionauth.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-api-key-fusionauth.png
index 047586f537..a14aec177d 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-api-key-fusionauth.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-api-key-fusionauth.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-account.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-account.png
index 252dc5ffef..dce4b0b3a9 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-account.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-account.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-cloudwatchagnetrole.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-cloudwatchagnetrole.png
index fc3a06ccd1..470a98aa80 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-cloudwatchagnetrole.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-aws-cloudwatchagnetrole.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget-custom-logger.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget-custom-logger.png
index 63932f00ef..3277892a17 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget-custom-logger.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget-custom-logger.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget.png
index 2cef7895c3..09510d1f8a 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-dashboard-widget.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ec2-success.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ec2-success.png
index ffef16192b..c414373e8d 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ec2-success.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ec2-success.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ecs-instance-settings-1.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ecs-instance-settings-1.png
index caede7ec88..3ebebf674c 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ecs-instance-settings-1.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-ecs-instance-settings-1.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-key-pair.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-key-pair.png
index 6254ce0974..f07b68be71 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-key-pair.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-key-pair.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-log-table-widget.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-log-table-widget.png
index 0965aa1f1b..b66f57e47e 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-log-table-widget.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/create-log-table-widget.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/ec2-instance-overview.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/ec2-instance-overview.png
index a0c7202c7c..d328481b0e 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/ec2-instance-overview.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/ec2-instance-overview.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/edit-aws-cloudwatchagent-user.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/edit-aws-cloudwatchagent-user.png
deleted file mode 100644
index d9bf80e904..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/edit-aws-cloudwatchagent-user.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/login-record-api-key-fusionauth.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/login-record-api-key-fusionauth.png
index 930e1969dc..330f35b1d7 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/login-record-api-key-fusionauth.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/login-record-api-key-fusionauth.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-cloudwatch-dashboard-home.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-cloudwatch-dashboard-home.png
deleted file mode 100644
index ab2d44fcc5..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-cloudwatch-dashboard-home.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-ec2.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-ec2.png
deleted file mode 100644
index c1eba7cc87..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-ec2.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-iam-roles.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-iam-roles.png
index 604fcd5360..9c81789829 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-iam-roles.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/navigate-iam-roles.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-port-9011.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-port-9011.png
index 7fb481957b..8eb2293f13 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-port-9011.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-port-9011.png differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-ports-opened.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-ports-opened.png
deleted file mode 100644
index ff6c85d38f..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/open-ports-opened.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/security-inbound-rules.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/security-inbound-rules.png
deleted file mode 100644
index e01562f631..0000000000
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/security-inbound-rules.png and /dev/null differ
diff --git a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/select-dashboard-options.png b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/select-dashboard-options.png
index 140c3f0a36..1f43134847 100644
Binary files a/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/select-dashboard-options.png and b/astro/public/img/docs/operate/secure-and-monitor/cloudwatch/select-dashboard-options.png differ
diff --git a/astro/src/content/docs/operate/secure-and-monitor/cloudwatch.mdx b/astro/src/content/docs/operate/secure-and-monitor/cloudwatch.mdx
index 2e60430e01..b508038b7e 100644
--- a/astro/src/content/docs/operate/secure-and-monitor/cloudwatch.mdx
+++ b/astro/src/content/docs/operate/secure-and-monitor/cloudwatch.mdx
@@ -7,13 +7,14 @@ subcategory: secure and monitor
---
import Aside from 'src/components/Aside.astro';
import ScrollRef from 'src/components/ScrollRef.astro';
+import Breadcrumb from 'src/components/Breadcrumb.astro';
import IconButton from 'src/components/IconButton.astro';
import InlineField from 'src/components/InlineField.astro';
import InlineUIElement from 'src/components/InlineUIElement.astro';
## Overview
-Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics for your resources and applications. Additionally, you can create custom dashboards to display metrics for your custom applications or to show custom collections of metrics.
+Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real-time. You can use CloudWatch to collect and track metrics for your resources and applications. Additionally, you can create dashboards to display metrics for your applications or to show custom collections of metrics.
This guide will show you how to:
@@ -21,88 +22,115 @@ This guide will show you how to:
- Set up a custom collector agent to send data to Amazon CloudWatch.
- Create a dashboard in Amazon CloudWatch to view metrics.
-We'll also take a look at which FusionAuth metrics are useful in Amazon CloudWatch.
-Please go through the [FusionAuth guide to monitoring for an overview of the available metrics.](/docs/operate/secure-and-monitor/monitor)
-For an overview of the metrics you can collect with Amazon CloudWatch agent, review the [CloudWatch agent metrics document](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html).
+We'll also take a look at which FusionAuth metrics are useful in Amazon CloudWatch. Please read the [FusionAuth guide to monitoring for an overview of the available metrics](/docs/operate/secure-and-monitor/monitor). For an overview of the metrics you can collect with Amazon CloudWatch agent, review the [CloudWatch agent metrics document](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html).
-## Set Up A Amazon Account
+## Set Up Your Amazon Account
- To use CloudWatch, you must sign in to your Amazon account. If you don't have one, navigate to the [AWS website](https://aws.amazon.com/) and click Create an AWS Account to create one.
+You need an Amazon account to use CloudWatch. If you don't already have an Amazon account, navigate to the [AWS website](https://aws.amazon.com/) and click Create an AWS Account.
-You must complete the email address and AWS account on the next page. Click on the Verify email button. You will receive an email with a verification code in the email address provided.
-Copy the code from the email, and paste it in the field provided. Click the button to continue. If the verification was successful, you must enter and confirm a secure password for the root user.
+When you have provided your details, verified your email, and completed the account creation process, you will need to set up permissions for the CloudWatch agent to access AWS resources and communicate with Amazon EC2 and AWS Systems Manager. You will need to create an IAM role for the CloudWatch agent on an Amazon EC2 instance, and an IAM user for the CloudWatch agent on an on-premises server.
-The rest of the process will consist of personal details, billing information, confirming your identity with AWS, and choosing a support plan.
-You can follow the on-screen instructions and click on Continue to proceed to the next step.
+### Create An IAM Role For The CloudWatch Agent On An EC2 Instance
-Access to AWS resources requires permissions. You can create IAM roles and users that include the permissions needed for the CloudWatch agent to write metrics to CloudWatch and for the CloudWatch agent to communicate with Amazon EC2 and AWS Systems Manager. You use IAM roles on Amazon EC2 instances, and you use IAM users with on-premises servers.
+First create an IAM role to use the CloudWatch agent on Amazon EC2.
-### Create IAM roles to use with the CloudWatch agent on Amazon EC2 instances
-
-In your AWS console Navigate to **Services -> IAM -> Roles**.
+In your AWS console, navigate to Services -> IAM -> Roles.
-Click on the Create role button in the top left.
-- Under Select type of trusted entity, choose AWS service.
-- Under use cases, choose EC2,and then choose next.
-- In the list of policies, select the check box next to CloudWatchAgentServerPolicy. If necessary, use the search box to find the policy. Click next.
-- To use Systems Manager to install or configure the CloudWatch agent, select the box next to AmazonSSMManagedInstanceCore. This AWS-managed policy enables an instance to use the Systems Manager service core functionality. If necessary, use the search box to find the policy. This policy isn't required if you start and configure the agent only through the command line.
-- Enter the name `CloudWatchAgentServerRole` and a description and click on Create role.
+Click the Create role button in the top left.
+
+- On the "Select trusted entity" step 1, choose "AWS service" on the "Trusted entity type".
+- Under "Use case", choose "EC2",and then click Next.
+- In the list of policies, select the checkbox next to `CloudWatchAgentServerPolicy`. If necessary, use the search box to find the policy.
+- To use Systems Manager to install or configure the CloudWatch agent, select the checkbox next to `AmazonSSMManagedInstanceCore`. This AWS-managed policy enables an instance to use the Systems Manager service core functionality. If necessary, use the search box to find the policy. This policy isn't required if you start and configure the agent only through the command line. Click Next.
+- Enter the name `CloudWatchAgentServerRole` and a description, and click on Create role.
-### Create IAM user to use with the CloudWatch agent
+### Create An IAM User For The CloudWatch Agent On An On-Premises Server
-Now create the IAM user necessary for the CloudWatch agent to write data to CloudWatch:
+Now create the IAM user necessary for the CloudWatch agent to write data to CloudWatch.
-In your AWS console Navigate to **Services -> IAM -> Users**.
-- Click on the Create user button in the top left. Enter CloudWatchAgentUser as the name and click Next.
-- For permissions: Choose `Attach existing policies directly`
-- In the list of policies, select the check box next to CloudWatchAgentServerPolicy, CloudWatchFullAccess and CloudWatchFullAccessV2. If necessary, use the search box to find the policy. To use Systems Manager to install or configure the CloudWatch agent, select the box next to AmazonSSMManagedInstanceCore. This AWS-managed policy enables an instance to use the Systems Manager service core functionality. (If necessary, use the search box to find the policy. This policy isn't required if you start and configure the agent only through the command line.). Click Next and Create user.
+In your AWS console, navigate to Services -> IAM -> Users.
-You need to add `CloudWatchAgentPutLogsRetention` and generate an access key for this user.
-Click on the user in the screen that you navigated to after creating the user above (Overview Screen).
+Click the Create user button in the top left.
-
+- Enter `CloudWatchAgentUser` as the name and click Next.
+- For permissions, choose "Attach policies directly".
+- In the list of policies, select the checkbox next to `CloudWatchAgentServerPolicy`, `CloudWatchFullAccess`, and `CloudWatchFullAccessV2`. If necessary, use the search box to find the policies.
+- To use Systems Manager to install or configure the CloudWatch agent, select the box next to `AmazonSSMManagedInstanceCore`. This AWS-managed policy enables an instance to use the Systems Manager service core functionality. If necessary, use the search box to find the policy. This policy isn't required if you start and configure the agent only through the command line.
+- Click Next and then Create user.
-- To grant the log retention policy click on AddPermission and choose inline policy . On the Next screen choose JSON and replace the JSON with the code below and click on Next when done to name and create the policy for the user.
+Add a `PutRetentionPolicy` to the CloudWatch agent user.
-``` json
+- On the Users overview page, click on the `CloudWatchAgentUser` name.
+- Click the Add permissions dropdown and choose Create inline policy.
+- On the next screen, choose JSON on the "Policy editor" and replace the JSON with the code below.
+
+```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": "logs:PutRetentionPolicy",
- "Resource": "*"
- }
- ]
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": "logs:PutRetentionPolicy",
+ "Resource": "*"
+ }
+ ]
}
```
-- To create an access key for the users, click on Create access key on the user overview screen above.
-- choose "Application running outside AWS", click on Next and Create access key.
-- You now have the Access key and the secret Access key and must save it because it will be used later in the configuration.
+- Click Next.
+- Give the policy a name and click Create policy.
+
+Generate an access key for the CloudWatch agent user.
-The access keys will look like this:
-
+- Click on Create access key on the `CloudWatchAgentUser` overview page.
+- Select "Application running outside AWS" and click Next.
+- Click Create access key.
+
+The access keys will look something like this:
+
+```sh
+aws_access_key_id = your_key_id
+aws_secret_access_key = your_access_key
+```
+
+Save the access and secret access keys to use later.
+
+## Set Up A Collector To Receive Data From FusionAuth
+
+Now you will build a FusionAuth Docker image that has the CloudWatch agent installed.
+
+
-## Set Up A Collector To Receive Data From FusionAuth
+Save the Dockerfile from the [FusionAuth containers repo](https://github.com/FusionAuth/fusionauth-containers/blob/master/docker/fusionauth/fusionauth-app/Dockerfile) to your working directory on your computer.
+
-Now you will build a FusionAuth Docker image that has the CloudWatch Agent installed using the installation command from the instructions page.
+Edit the Dockerfile and replace line 92 `&& apt-get -y install --no-install-recommends curl \` with `&& apt-get -y install --no-install-recommends curl unzip ca-certificates sudo \`. This adds the `unzip`, `sudo`, and `ca-certificates` packages to the image.
+
+Replace the section marked with the comment "###### Connect the log file to stdout" with the following configuration.
+
+```
+###### Connect the log file to stdout #############################################################
+RUN mkdir -p /usr/local/fusionauth/logs \
+ && touch /usr/local/fusionauth/logs/fusionauth-app.log \
+ && chown -R fusionauth:fusionauth /usr/local/fusionauth/logs/
+```
-First, save the Dockerfile from the [FusionAuth containers repo](https://github.com/FusionAuth/fusionauth-containers/blob/master/docker/fusionauth/fusionauth-app/Dockerfile) to your computer. Edit the Dockerfile file and insert the following lines above the comment "###### Start FusionAuth App".
+Insert the following lines above the comment "###### Start FusionAuth App". Replace `eu-north-1` with the region your AWS account uses. If the incorrect region is used here, it may take a long time to download when you build the Docker image.
```
### NEW FOR CloudWatch ###
@@ -112,7 +140,7 @@ RUN curl -O https://amazoncloudwatch-agent-eu-north-1.s3.eu-north-1.amazonaws.co
&& rm ./amazon-cloudwatch-agent.deb
- # Add fusionauth user to sudo group
+# Add FusionAuth user to sudo group
RUN usermod -aG sudo fusionauth
RUN echo "fusionauth ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
@@ -124,84 +152,95 @@ ENV RUN_IN_CONTAINER=True
### END CloudWatch ###
```
-This configuration downloads the CloudWatch Agent installation package from https://amazoncloudwatch-agent-eu-north-1.s3.eu-north-1.amazonaws.com/debian/amd64/latest/amazon-cloudwatch-agent.deb sets the environment variables and grants some permissions to complete the installation.
+This configuration downloads the CloudWatch agent installation package, sets the environment variables, and grants the FusionAuth user some permissions to complete the installation.
-
+Replace the last line in the Dockerfile `CMD ["/usr/local/fusionauth/fusionauth-app/bin/start.sh"]` with the following `CMD ["/bin/sh", "-c", "/opt/aws/amazon-cloudwatch-agent/bin/start-amazon-cloudwatch-agent & /usr/local/fusionauth/fusionauth-app/bin/start.sh"]`.
-Once the CloudWatch Agent is installed, the configuration `cloudwatch-config.json` is copied into the image to handle the CloudWatch integration.
+Build the Dockerfile into a new image instead of the official FusionAuth image.
-Now create a `cloudwatch-config.json` file in the same folder as the Dockerfile and add the following configuration to it:
+```sh
+docker build --platform linux/amd64 -t faimage .
+```
+
+Now create a `cloudwatch-config.json` file in the same folder as the Dockerfile and add the following configuration to it.
```json
{
- "agent": {
- "metrics_collection_interval": 60,
- "region": "${AWS_REGION}",
- "logfile": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
- "debug": false,
- "run_as_user": "fusionauth"
- },
- "logs": {
- "logs_collected": {
- "files": {
- "collect_list": [
- {
- "file_path": "/usr/local/fusionauth/logs/fusionauth-app.log",
- "log_group_name": "fusionauth-logs",
- "log_stream_name": "fusionauth-app"
- },
- {
- "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
- "log_group_name": "cloudwatch-logs",
- "log_stream_name": "fusionauth-app"
- },
- {
-
- "file_path": "/var/log/bootstrap.log",
- "log_group_name": "host-bootstrap-logs",
- "log_stream_name": "fusionauth-app"
- } ]
- }
- }
- },
- "metrics": {
- "namespace": "FusionAuth",
- "metrics_collected": {
- "cpu": {
- "resources": ["*"],
- "measurement": ["usage_active", "usage_system", "usage_user"]
- },
- "mem": {
- "measurement": ["used", "total", "used_percent"]
- },
- "net": {
- "resources": ["*"],
- "measurement": ["bytes_sent", "bytes_recv", "packets_sent", "packets_recv"]
- }
+ "agent": {
+ "metrics_collection_interval": 60,
+ "region": "${AWS_REGION}",
+ "logfile": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
+ "debug": false,
+ "run_as_user": "fusionauth"
+ },
+ "logs": {
+ "logs_collected": {
+ "files": {
+ "collect_list": [
+ {
+ "file_path": "/usr/local/fusionauth/logs/fusionauth-app.log",
+ "log_group_name": "fusionauth-logs",
+ "log_stream_name": "fusionauth-app"
+ },
+ {
+ "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
+ "log_group_name": "cloudwatch-logs",
+ "log_stream_name": "fusionauth-app"
+ },
+ {
+ "file_path": "/var/log/bootstrap.log",
+ "log_group_name": "host-bootstrap-logs",
+ "log_stream_name": "fusionauth-app"
+ }
+ ]
+ }
+ }
+ },
+ "metrics": {
+ "namespace": "FusionAuth",
+ "metrics_collected": {
+ "cpu": {
+ "resources": [
+ "*"
+ ],
+ "measurement": [
+ "usage_active",
+ "usage_system",
+ "usage_user"
+ ]
+ },
+ "mem": {
+ "measurement": [
+ "used",
+ "total",
+ "used_percent"
+ ]
+ },
+ "net": {
+ "resources": [
+ "*"
+ ],
+ "measurement": [
+ "bytes_sent",
+ "bytes_recv",
+ "packets_sent",
+ "packets_recv"
+ ]
+ }
+ }
}
- }
}
```
-In the above configuration, you set up the region for the CloudWatchAgent, some logs to collect and display as well as the metrics we are interested in.
-We specify a namespace `FusionAuth' for the metrics and log_group_name and log_stream_names for the log files to find it when we create a dashboard.
-
-Build the Dockerfile into a new image instead of the official FusionAuth image.
-
+In the above configuration, you set up the region for the CloudWatch agent, some logs to collect and display, and the metrics we are interested in. The log_group_name and log_stream_name values are specified for the log files and the `FusionAuth` namespace for the metrics.
-```sh
-docker build --platform linux/amd64 -t faimage .
-```
+Next, save the [`docker-compose.yml`](https://github.com/FusionAuth/fusionauth-containers/blob/main/docker/fusionauth/docker-compose.yml) and sample [`.env`](https://github.com/FusionAuth/fusionauth-containers/blob/main/docker/fusionauth/.env) files from the FusionAuth containers repo.
-Save the [`docker-compose.yaml`](https://github.com/FusionAuth/fusionauth-containers/blob/main/docker/fusionauth/docker-compose.yml) and sample [`.env`](https://github.com/FusionAuth/fusionauth-containers/blob/main/docker/fusionauth/.env) files from the FusionAuth containers repo.
+In the `docker-compose.yml` file, change the line `image: fusionauth/fusionauth-app:latest` to point to the image you have just built, `image: faimage:latest`.
-In the `docker-compose.yaml` file, change the line `image: fusionauth/fusionauth-app:latest` to point to the image you have just built `image: faimage:latest`.
-In the `fusionauth` service also replace the `volumes:` section with the code configuration below:
+On the `fusionauth` service, replace the `volumes:` section with the code configuration below.
-``` yaml
+```yaml
volumes:
- fusionauth_config:/usr/local/fusionauth/config
# NEW FOR CLOUDWATCH
@@ -212,8 +251,8 @@ volumes:
In the `environment:` section under the `fusionauth:` service, add the following environment variable for the AWS region.
-``` yaml
- environment:
+```yaml
+environment:
DATABASE_URL: jdbc:postgresql://db:5432/fusionauth
DATABASE_ROOT_USERNAME: ${POSTGRES_USER}
DATABASE_ROOT_PASSWORD: ${POSTGRES_PASSWORD}
@@ -225,10 +264,9 @@ In the `environment:` section under the `fusionauth:` service, add the following
SEARCH_SERVERS: http://search:9200
SEARCH_TYPE: elasticsearch
AWS_REGION: eu-north-1 # Replace with your AWS region, e.g., us-west-2 NEW for cloudwatch
- healthcheck:
```
-Now, in the same folder as the Dockerfile create a .aws folder with a file called credentials with the command below:
+Now, in the same folder as the Dockerfile, create a `.aws` folder with a file called `credentials` using the command below.
```sh
mkdir .aws
@@ -236,14 +274,15 @@ cd .aws
touch credentials
```
-Now, add the following access keys to the credentials file(this were created when the AWS account was set up earlier):
-
-
-
-The configuration above is for this guide only, and you must replace it with your own.
+Add the AWS access keys you created previously to the `credentials` file.
+```sh
+[AmazonCloudWatchAgent]
+aws_access_key_id = your_key_id
+aws_secret_access_key = your_access_key
+```
-To start the services, run the following command in the terminal you used to save the `docker-compose.yaml` file.
+To start the services, run the following command in the terminal you used to save the `docker-compose.yml` file.
```sh
docker compose up -d
@@ -253,89 +292,94 @@ docker compose up -d
Let's create a dashboard on CloudWatch to visualize the data received from FusionAuth.
-In the AWS UI, navigate to Services -> CloudWatch -> Dashboard.
-
+In the AWS UI, navigate to Services -> CloudWatch -> Dashboards.
+
+Click Create dashboard. Give the dashboard a Name, for example, `FusionAuthDashboard`, and click Create dashboard.
-Now, click on Create dashboard.
-Give the dashboard a Name i.e. FusionAuthDashboard. Click on Create dashboard to create the new dashboard.
+On the next screen, you have a few options to choose from to configure the dashboard Widget:
+
+- For Data source types, choose `CloudWatch`.
+- For Data type, choose `Metrics`.
+- For Widget type, choose `Line`.
-On the Next screen, you have a few options to choose from to configure the dashboard Widget
-- For data source types, choose CloudWatch
-- For data type, choose Metrics. We will use logs later.
-- For widget type, choose Line. Click on Next.
-Next, you will need to add metrics to your widget and configure some options. Set a time preference Choose "Past 1h" and give your graph a title. You can also set the refresh interval.
+Click Next.
+
+Now you can add metrics to the widget and configure some options. Give your graph a title and choose "1h" for the time preference. You can also set the refresh interval from the dropdown on the far right.
+
-Click on the `FusionAuth` namespace that we configured for the CloudWatch agent in the docker container. Click on CPU, and select all the CPU's options. Now, click Create widget.
+Click on the `FusionAuth` namespace, then click on CPU. Select all the CPU options and click Create widget.
+
-Using the same method as above you can also add logs to the dashboard, Click on the `+` in the right hand corner to add another widget.
+Using the same method as above, you can also add logs to the dashboard. Click on the + in the right-hand corner to add another widget.
+
+On the create widget screen, configure the dashboard logs widget as follows:
-On the Next screen, you have a few options to choose from to configure the dashboard Widget
-- For data source types, choose CloudWatch
-- For data type, choose Logs.
-- For widget type, choose Logs table. Click on Next.
+- For Data source types, choose `CloudWatch`.
+- For Data type, choose `Logs`.
+- For Widget type, choose `Logs table`.
+
+Click Next.
-Click on Browse log groups, select a log group/stream that was configured in the CloudWatch agent configuration, like `cloudwatch-logs`, and click Run query. If data was received on the selected stream it will show below. Click Create Widget to add the new log table to the dashboard.
+Click Browse log groups and select a log group or stream configured in the CloudWatch agent configuration, like `fusionauth-logs`. Click Run query. If data has been received on the selected stream, it will show in the "Logs" section. Click Create Widget to add the new log table to the dashboard.
-This is how the dashboard will look when some data is received.
+This is how the dashboard will look when data is received.
-## Set Up FusionAuth API Access for Collector
+## Set Up FusionAuth API Access For The Collector
+
+When you create a custom collector later in this guide, you will need FusionAuth API access configured and access to a specific FusionAuth endpoint.
-When you create a custom collector later on in this guide, you will need FusionAuth API access configured and access to specific FusionAuth endpoints. We will export login information later, you need to allow access to that endpoint. For other endpoints, similar actions will apply.
+To export login information from FusionAuth, you need to allow the custom collector access to the `/api/system/login-record/export` endpoint. The steps outlined below can be used to configure access to other endpoints.
-- Login to your FusionAuth instance and navigate to **Settings -> API keys**.
-- On the top right side of the page, click on the button to add a new API key.
+- Log in to your FusionAuth instance and navigate to Settings -> API keys.
+- On the top right of the page, click the button to add a new API key.
-- Enter a Description for the API Key.
+- Enter a Description for the API key.
- Scroll down and enable the "GET" permission on the `/api/system/login-record/export` endpoint.
-- Click on the button to save the API Key.
-- After saving the API key click on the red lock , next to the key that you generated to reveal and copy the value of the key.
-- Store this key, as you will need it later in the guide.
-
-
-
-- You also need to get the FusionAuth AppId, navigate to **Applications**. and save the Applications Id.
-
-
-
-
+- Click the button to save the API key.
+- After saving the API key, click the red lock next to the key to reveal and copy the value of the key. Store this key, as you will need it later.
## FusionAuth Metrics
-FusionAuth offers a wide range of [metrics](/docs/operate/secure-and-monitor/monitor#metrics). which are detailed in the documentation. It's up to you to determine which metrics are important for your monitoring needs.
+FusionAuth offers a wide range of [metrics](/docs/operate/secure-and-monitor/monitor#metrics), which are detailed in the documentation. It's up to you to determine which metrics are important for your monitoring needs.
## Mapping FusionAuth Metrics To AWS CloudWatch Metrics
CloudWatch gives you actionable insights that help you optimize application performance, manage resource utilization, and understand system-wide operational health. CloudWatch provides up to one-second visibility of metrics and logs data, and the ability to perform calculations on metrics. CloudWatch collects, aggregates, and summarizes compute utilization information such as CPU, memory, disk, and network data, as well as diagnostic information such as container restart failures.
-The CloudWatch agent supports the counter, gauge, and summary metric types and also handles the sum and count of a summary metric in the same way as it handles counter metrics.
-Note that custom services can be written, that can send data available through FusionAuth API endpoints using the AWS API and Watchtower libraries to AWS CloudWatch. You will see an example of this in a later section of this guide.
+The CloudWatch agent supports the counter, gauge, and summary metric types, and also handles the sum and count of a summary metric in the same way as it handles counter metrics.
+
+Note that you can write custom services to send available data to AWS CloudWatch through FusionAuth API endpoints using the AWS API and Watchtower libraries.
## Write A Custom Service To Send Data To The API
-We will create a Python application that exports the login records every 60 seconds and sends them to CloudWatch in AWS. This is for demo purposes in real live, it would most likely be every 60 minutes. All the FusionAuth APIs that give you event data are documented [here](/docs/apis). The login records API is documented [here](/docs/apis/login#request-6).
+The Python application below exports login records every 60 seconds and sends them to CloudWatch in AWS. This script is for demo purposes. In real-world scenarios, records would more likely be sent every 60 minutes.
+
+All the FusionAuth APIs providing event data are documented [here](/docs/apis), and the login records API is documented [here](/docs/apis/login#request-6).
+
+The FusionAuth APIs export events as zip files — you will not get JSON or YAML data in memory. The application will get the zip file, extract it, read it, format the entries for CloudWatch, and upload them.
+
+Since FusionAuth API access is needed, see the section on .
-The Fusion auth APIs export events as zip files — you will not get JSON or YAML data in memory. The applications will get the zip file, extract it, read it, format the entries for CloudWatch, and upload them.
+You will also need to get your FusionAuth app Id. In the FusionAuth UI, navigate to Applications and copy and save the Id for your application.
-Since FusionAuth API access is needed, [see section Set Up FusionAuth API Access for Collector](#set-up-fusionauth-api-access-for-collector), to set it up.
+
+
+Save the following Python script to a file `cloudwatch_logger.py` in a new folder.
-``` python
+```python
import boto3
import watchtower
import logging
@@ -455,15 +499,13 @@ if __name__ == "__main__":
main()
```
-Save the Python application in a new folder and name the application cloudwatch_logger.py.
-
-Add a new Dockerfile in the same folder with:
+Add a new Dockerfile in the same folder with the following command.
```sh
touch Dockerfile
```
-Add the following to the file created above:
+Add the following to the file created above.
```sh
FROM python:3.9-slim
@@ -478,46 +520,60 @@ COPY cloudwatch_logger.py .
CMD ["python", "cloudwatch_logger.py"]
```
-This Dockerfile will create a new container that will run the `cloudwatcher.py` application and export and upload the login data from fusionauth to CloudWatch. The applications require some packages, watchtower and boto3, which are used for communicating with AWS CloudWatch. Add the `requirements.txt` in the same folder next.
+This Dockerfile will create a new container that will run the `cloudwatch_logger.py` application and export and upload the login data from FusionAuth to CloudWatch. The application requires some packages, Watchtower, and Boto3, which are used for communicating with AWS CloudWatch.
+
+Add the `requirements.txt` file to the same folder.
```sh
touch requirements.txt
```
+Add the dependencies.
+
```sh
boto3==1.26.90
watchtower==3.0.1
requests==2.28.2
```
+Create a new `.aws` folder.
+
```sh
mkdir .aws
cd .aws
touch credentials
-toch config
+touch config
```
-Add the following access keys to the credentials file (these were created when the AWS account was set up earlier):
-
-
+Add the AWS access keys you created earlier to the credentials file:
+```
+AWS_ACCESS_KEY_ID=your_key_id
+AWS_SECRET_ACCESS_KEY=your_access_key
+```
-Add the following region info in the configuration file:
+Add the following region info in the configuration file (remember to use the region for your AWS account):
```
[default]
region = eu-north-1
```
-Although these are similar to the AWS credentials that were set up earlier when we used the cloud agent in the fusionauth docker example, these use the `default` profile instead of the `AmazonCloudWatchAgent` we used before.
+Although these credentials are similar to the AWS credentials that were set up earlier when we used the CloudWatch agent in the FusionAuth Docker example, these use the `default` profile instead of the `AmazonCloudWatchAgent` we used previously.
The configuration above is for this guide only, and you must replace it with your own.
-Finally, we add the changes to our fusion-auth docker-compose file:
+Build the `Dockerfile` with the following command.
+
+```sh
+docker build --platform linux/amd64 -t cloudwatch-logger .
+```
+
+Finally, add the following service to the FusionAuth `docker-compose.yml` file. You will need to change the region, access key, secret access key, FusionAuth API key, and FusionAuth app Id to your values.
```yaml
cloudwatch-logger: # NEW for custom logging
- build: .
+ image: cloudwatch-logger:latest
environment:
- AWS_REGION=eu-north-1
- FA_ENDPOINT=http://fusionauth:9011/api/system/login-record/export
@@ -539,90 +595,92 @@ cloudwatch-logger: # NEW for custom logging
- fusionauth
```
-You can add this to the same Docker-compose file we used earlier, as we only add a new service that runs in conjunction with the other Fusionauth services.
+You can add this to the same `docker-compose.yml` file we used earlier, as we only add a new service that runs in conjunction with the other FusionAuth services.
-Build the `Dockerfile` with:
-
-```sh
-docker build --platform linux/amd64 -t cloudwatch-logger .
-```
-
-To start the services, run the following command in the terminal you used to save the `docker-compose.yaml` file.
+To start the services, run the following command in the terminal you used to save the `docker-compose.yml` file.
```sh
docker compose up -d
```
-## Set Up A AWS CloudWatch Dashboard For The Custom Service
-
-In the Custom Logger created in the previous section, the following log group was specified: `log_group="FusionAuth-CustomLogExporter`.
+### Set Up An AWS CloudWatch Dashboard For The Custom Service
-You have to use that to set up a dashboard for the logger, using the same steps as in [Set Up A Collector Dashboard](#set-up-a-collector-dashboard).
+Now you can set up a dashboard to visualize data collected by the custom logger.
-In your AWS console Navigate to **CloudWatch -> Dashboards**. Add a new dashboard and name it `CloudWatchLogger`, click Create dashboard.
+In your AWS console, navigate to CloudWatch -> Dashboards. Add a new dashboard, name it `CloudWatchLogger`, and click Create dashboard.
-Select Logs, and keep the defaults for the rest, click Next to continue.
+Select `Logs` for Data type and keep the defaults for the remaining options. Click Next.
-On the next screen Click Browse log groups and select `FusionAuth-CustomLogExporter` (specified in the Python app). In the query box, delete everything and enter `stats count() by bin(30s)`.
+The code for the custom logging service specified a `log_group="FusionAuth-CustomLogExporter` log group. On the next screen, click Browse log groups and select `FusionAuth-CustomLogExporter`. In the query box, delete the contents and enter `stats count() by bin(30s)`.
-Click Run query. For Visualization choose Graph type:Bar.
+Click Run query. For Visualization, choose `Graph type:Bar`.
-You should see some info being plotted on the screen. If not, log in a few times into your Fusionauth instance. If that doesn't work, check the above steps to make sure you did it correctly.
+You should see some info being plotted on the screen. If you don't, log in to your FusionAuth instance a few times. If you still don't see any data coming in, retrace the dashboard setup steps.
-Click Create Widget in the right top corner.
-
-Click Save, to save the dashboard.
+Click Create widget in the top-right corner and click Save to save the dashboard.
-You should see your logger info be reflected,
+You should see your logger info being reflected.
-Other endpoints/metrics and endpoints can be handled similarly.
+You can set up widgets for other endpoints and metrics similarly.
-## FusionAuth in an AWS EC2 instance
+## Monitoring FusionAuth In An AWS EC2 Instance
-Navigate to the EC2 dashboard in the AWS console.
-
+Navigate to the EC2 dashboard in the AWS console Services -> EC2.
-Now lets create the virtual server. Click Launch new instance. Choose a name for the server,
-Select Amazon Linux as the Operating system. for the instance type select `t3.medium` as that is the lowest memory allocation that FusionAuth docker will start on successfully.
+To create a virtual server, click Launch new instance. Give the server a Name and select "Amazon Linux" as the operating system. You can use the default "Architecture". For the instance type, select `t3.medium`, which is the lowest memory allocation that FusionAuth Docker will successfully start on.
-Next, generate a key pair to access the server via SSH. Click Create new key pair. Enter a name for the keypair, Choose RSA as the keypair type and .pem as the file format.
-Click on create key pair. make sure your created key pair is selected in the dropdown list. The .pem file will be downloaded to your downloads folder. Make sure you copy it to your working directory, because you will need it to SSH to the server later.
+Next, generate a key pair to access the server via SSH. Click Create new key pair. Enter a name for the keypair, choose "RSA" as the keypair type, and `.pem` as the file format. Click on Create key pair.
-You should configure and secure the network settings for your environment, we will use default settings for the guide.
+The `.pem` file will be downloaded to your downloads folder. Copy the `.pem` file to your working directory so that you can use it to SSH to the server later.
-Click Launch instance to create your virtual server.
+Return to the launch instance dialog in AWS and make sure the key pair you created is selected in the key pair name dropdown list.
+
+We'll use the default network configuration and security setting for this guide. In production, you would configure and secure the network settings for your environment here.
+
+Click Launch instance to create your virtual server.
-Navigate to the EC2 instance overview screen
+Navigate to the EC2 instance overview screen and click on the newly created instance.
-Click on the new instance you created. Select the security tab in the middle and click the launch-wizard. We need to allow port 9011 to allow traffic to FusionAuth.
-Click Edit inbound rules. Select Type as custom TCP, choose port 9011 and allow only your IP for testing purposes.
-Click Save rules. Navigate back to your instance screen and make sure your instance is running.
+We need to set port 9011 to allow traffic to FusionAuth.
+
+Select the security tab in the middle and click the security group under "Security Groups".
+
+Click Edit inbound rules. Select `Custom TCP` as the Type. Set `9011` for the Port range and select `My IP` as the source for testing purposes. Click Save rules.
+
+Return to the instance screen and make sure the instance is running.
+
+Now, find the public IP on the Instance overview screen, then log in to the console by typing the following in the terminal, replacing `16.16.204.161` with your public IP and `test.pem` with the name of your downloaded key pair file.
+
+First change the permissions of the key file if they are too open
-Now, find the public IP on the Instance overview screen so that you can log into the console by typing the following in the terminal:
+```sh
+chmod 600 test.pem
+```
+
+Then you can use it to ssh into the instance with the following command
```sh
- ssh -i .\kp-1.pem ec2-user@16.16.204.161
+ssh -i test.pem ec2-user@16.16.204.161
```
-Answer yes to the fingerprint question and you will now be connected to your EC2 server in the terminal.
-
+Answer "yes" to the fingerprint question and you will be connected to your EC2 server in the terminal.
-Use the following shell commands to set up your EC2 instance with docker,docker-compose and vim. We also create the needed files and folders for the FusionAuth installation.
+The following shell commands will set up the EC2 instance with Docker, `docker-compose`, and Vim, and create the necessary files and folders for the FusionAuth installation.
```sh
sudo dnf update -y
@@ -657,56 +715,77 @@ touch .env
Log out and log back in to apply the group changes.
-Now edit the credentials file,
+Now edit the credentials file.
+
```sh
vim ~/fusionauth-project/.aws/credentials
```
-and add:
-
+Add the CloudWatch agent access keys.
-Save the file.
+```
+[default]
+aws_access_key_id=your_key_id
+aws_secret_access_key=your_access_key
+```
+
+Save the file by pressing `Esc` and typing `:wq` then pressing `Enter` on your keyboard.
+
+Next, edit the configuration file.
-Next, edit the configuration file,
```sh
vim ~/fusionauth-project/.aws/config
```
-and add:
+
+Add your region. Remember to replace `eu-north-1` with your actual region.
```sh
[default]
region = eu-north-1
```
+
Save the file.
-Now, edit the .env file,
+Edit the `.env` file.
```sh
vim ~/fusionauth-project/.env
```
-and add:
-
+Add the following.
-Save the file.
+```sh
+DATABASE_USERNAME=fusionauth
+DATABASE_PASSWORD=hkaLBMBRVnyYeYeq=3W11w2e4Avpy0Wd503s3
+FUSIONAUTH_APP_MEMORY=512M
+FUSIONAUTH_APP_RUNTIME_MODE=development
+OPENSEARCH_JAVA_OPTS="-Xms512m -Xmx512m"
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+```
+Save the file.
-Since there are not any changes to the configuration files, we use the same CloudWatch-config.json, Dockerfile and docker-compose.yml file from our on-prem docker example [Set Up A Collector To Receive Data From FusionAuth](#set-up-a-collector-to-receive-data-from-fusionauth).
-Copy the FusionAuth files over from that working directory using SCP to the EC2 instance using the same .pem file and the folder we created for the Fusionauth project.
+Since there are no changes to the configuration files, you can use the same `cloudwatch-config.json`, Dockerfile, and `docker-compose.yml` files from the on-prem Docker example we used to .
-``` sh
+Using SCP, copy the FusionAuth files over from the working directory you used to set up the collector to the EC2 instance using the same `.pem` file and the AWS EC2 folder we created for the FusionAuth project.
-scp -i .\kp-1.pem .\cloudwatch-config.json ec2-user@16.16.204.161:~/fusionauth-project/
+```sh
+scp -i ./test.pem ./cloudwatch-config.json ec2-user@16.16.204.161:~/fusionauth-project/
#enter
-scp -i .\kp-1.pem .\Dockerfile ec2-user@16.16.204.161:~/fusionauth-project/
-enter
-scp -i .\kp-1.pem .\docker-compose.yml ec2-user@16.16.204.161:~/fusionauth-project/
+scp -i ./test.pem ./Dockerfile ec2-user@16.16.204.161:~/fusionauth-project/
+```
+
+Comment out the `cloudwatch-logger:` service you added to the `docker-compose.yml` file earlier and copy the file to the instance.
+
+```sh
+scp -i ./test.pem ./docker-compose.yml ec2-user@16.16.204.161:~/fusionauth-project/
```
-SSH back into your EC2 instance and build the FusionAuth image and start the services with docker-compose:
+SSH back into your EC2 instance to build the FusionAuth image and start the services with `docker-compose`.
```sh
-ssh -i .\kp-1.pem ec2-user@16.16.204.161
+ssh -i ./test.pem ec2-user@16.16.204.161
cd fusionauth-project/
#enter
docker build --platform linux/amd64 -t faimage .
@@ -715,14 +794,14 @@ docker-compose up -d
#enter
```
-Now navigate to http://16.16.204.161:9011/ (use user EC2 instance public IP here), and configure your FusionAuth instance on EC2.
+Now navigate to `http://your_instance_public_ip:9011/` (use your EC2 instance public IP here), as configured in your FusionAuth instance on EC2.
-If you go to the dashboard and add new widgets to monitor the EC2 FusionAuth instance you will find it is now pushing data to AWS CloudWatch from the EC2 docker instance.
+If you return to the CloudWatch dashboard and add widgets to monitor the EC2 FusionAuth instance, you will find data is now being pushed to CloudWatch from the EC2 Docker instance.
## Further Reading
-- [What is CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html)
-- [Amazon CloudWatch Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)
-- [Getting Set up](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/GettingSetup.html)
-- [Metrics Collected by CloudWatch Agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html)
-- [CloudWatch Agent Configuration](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html#CloudWatch-Agent-Configuration-File-Agentsection)
\ No newline at end of file
+- [Overview of CloudWatch from the AWS documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html)
+- [Amazon CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)
+- [AWS guide to getting set up with CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/GettingSetup.html)
+- [AWS guide to the metrics collected by the CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html)
+- [How to configure the CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html#CloudWatch-Agent-Configuration-File-Agentsection)
-You must complete the email address and AWS account on the next page. Click on the 
-Click on the 
-### Create IAM user to use with the CloudWatch agent
+### Create An IAM User For The CloudWatch Agent On An On-Premises Server
-Now create the IAM user necessary for the CloudWatch agent to write data to CloudWatch:
+Now create the IAM user necessary for the CloudWatch agent to write data to CloudWatch.
-In your AWS console Navigate to **Services -> IAM -> Users**.
-- Click on the 
+- Enter `CloudWatchAgentUser` as the name and click 
+- Click on 
-
-The configuration above is for this guide only, and you must replace it with your own.
+Add the AWS access keys you created previously to the `credentials` file.
+```sh
+[AmazonCloudWatchAgent]
+aws_access_key_id = your_key_id
+aws_secret_access_key = your_access_key
+```
-To start the services, run the following command in the terminal you used to save the `docker-compose.yaml` file.
+To start the services, run the following command in the terminal you used to save the `docker-compose.yml` file.
```sh
docker compose up -d
@@ -253,89 +292,94 @@ docker compose up -d
Let's create a dashboard on CloudWatch to visualize the data received from FusionAuth.
-In the AWS UI, navigate to Services -> CloudWatch -> Dashboard.
-
+In the AWS UI, navigate to 
-On the Next screen, you have a few options to choose from to configure the dashboard Widget
-- For data source types, choose 
-Click on the `FusionAuth` namespace that we configured for the CloudWatch agent in the docker container. Click on 
-Using the same method as above you can also add logs to the dashboard, Click on the `+` in the right hand corner to add another widget.
+Using the same method as above, you can also add logs to the dashboard. Click on the 
-Click on 
-## Set Up FusionAuth API Access for Collector
+## Set Up FusionAuth API Access For The Collector
+
+When you create a custom collector later in this guide, you will need FusionAuth API access configured and access to a specific FusionAuth endpoint.
-When you create a custom collector later on in this guide, you will need FusionAuth API access configured and access to specific FusionAuth endpoints. We will export login information later, you need to allow access to that endpoint. For other endpoints, similar actions will apply.
+To export login information from FusionAuth, you need to allow the custom collector access to the `/api/system/login-record/export` endpoint. The steps outlined below can be used to configure access to other endpoints.
-- Login to your FusionAuth instance and navigate to **Settings -> API keys**.
-- On the top right side of the page, click on the 
-- Enter a 
-- Click on the 
-
-- You also need to get the FusionAuth AppId, navigate to **Applications**. and save the Applications Id.
-
-
-
-
+- Click the 
+Add the AWS access keys you created earlier to the credentials file:
+```
+AWS_ACCESS_KEY_ID=your_key_id
+AWS_SECRET_ACCESS_KEY=your_access_key
+```
-Add the following region info in the configuration file:
+Add the following region info in the configuration file (remember to use the region for your AWS account):
```
[default]
region = eu-north-1
```
-Although these are similar to the AWS credentials that were set up earlier when we used the cloud agent in the fusionauth docker example, these use the `default` profile instead of the `AmazonCloudWatchAgent` we used before.
+Although these credentials are similar to the AWS credentials that were set up earlier when we used the CloudWatch agent in the FusionAuth Docker example, these use the `default` profile instead of the `AmazonCloudWatchAgent` we used previously.
The configuration above is for this guide only, and you must replace it with your own.
-Finally, we add the changes to our fusion-auth docker-compose file:
+Build the `Dockerfile` with the following command.
+
+```sh
+docker build --platform linux/amd64 -t cloudwatch-logger .
+```
+
+Finally, add the following service to the FusionAuth `docker-compose.yml` file. You will need to change the region, access key, secret access key, FusionAuth API key, and FusionAuth app Id to your values.
```yaml
cloudwatch-logger: # NEW for custom logging
- build: .
+ image: cloudwatch-logger:latest
environment:
- AWS_REGION=eu-north-1
- FA_ENDPOINT=http://fusionauth:9011/api/system/login-record/export
@@ -539,90 +595,92 @@ cloudwatch-logger: # NEW for custom logging
- fusionauth
```
-You can add this to the same Docker-compose file we used earlier, as we only add a new service that runs in conjunction with the other Fusionauth services.
+You can add this to the same `docker-compose.yml` file we used earlier, as we only add a new service that runs in conjunction with the other FusionAuth services.
-Build the `Dockerfile` with:
-
-```sh
-docker build --platform linux/amd64 -t cloudwatch-logger .
-```
-
-To start the services, run the following command in the terminal you used to save the `docker-compose.yaml` file.
+To start the services, run the following command in the terminal you used to save the `docker-compose.yml` file.
```sh
docker compose up -d
```
-## Set Up A AWS CloudWatch Dashboard For The Custom Service
-
-In the Custom Logger created in the previous section, the following log group was specified: `log_group="FusionAuth-CustomLogExporter`.
+### Set Up An AWS CloudWatch Dashboard For The Custom Service
-You have to use that to set up a dashboard for the logger, using the same steps as in [Set Up A Collector Dashboard](#set-up-a-collector-dashboard).
+Now you can set up a dashboard to visualize data collected by the custom logger.
-In your AWS console Navigate to **CloudWatch -> Dashboards**. Add a new dashboard and name it `CloudWatchLogger`, click 
-Click 
-Other endpoints/metrics and endpoints can be handled similarly.
+You can set up widgets for other endpoints and metrics similarly.
-## FusionAuth in an AWS EC2 instance
+## Monitoring FusionAuth In An AWS EC2 Instance
-Navigate to the EC2 dashboard in the AWS console.
-
+Navigate to the EC2 dashboard in the AWS console 
-Next, generate a key pair to access the server via SSH. Click 
-You should configure and secure the network settings for your environment, we will use default settings for the guide.
+The `.pem` file will be downloaded to your downloads folder. Copy the `.pem` file to your working directory so that you can use it to SSH to the server later.
-Click 
-Navigate to the EC2 instance overview screen
+Navigate to the EC2 instance overview screen and click on the newly created instance.
-Click on the new instance you created. Select the security tab in the middle and click the 
+Return to the instance screen and make sure the instance is running.
+
+Now, find the public IP on the Instance overview screen, then log in to the console by typing the following in the terminal, replacing `16.16.204.161` with your public IP and `test.pem` with the name of your downloaded key pair file.
+
+First change the permissions of the key file if they are too open
-Now, find the public IP on the Instance overview screen so that you can log into the console by typing the following in the terminal:
+```sh
+chmod 600 test.pem
+```
+
+Then you can use it to ssh into the instance with the following command
```sh
- ssh -i .\kp-1.pem ec2-user@16.16.204.161
+ssh -i test.pem ec2-user@16.16.204.161
```
-Answer yes to the fingerprint question and you will now be connected to your EC2 server in the terminal.
-
+Answer "yes" to the fingerprint question and you will be connected to your EC2 server in the terminal.
-Use the following shell commands to set up your EC2 instance with docker,docker-compose and vim. We also create the needed files and folders for the FusionAuth installation.
+The following shell commands will set up the EC2 instance with Docker, `docker-compose`, and Vim, and create the necessary files and folders for the FusionAuth installation.
```sh
sudo dnf update -y
@@ -657,56 +715,77 @@ touch .env
Log out and log back in to apply the group changes.
-Now edit the credentials file,
+Now edit the credentials file.
+
```sh
vim ~/fusionauth-project/.aws/credentials
```
-and add:
-
+Add the following.
-Save the file.
+```sh
+DATABASE_USERNAME=fusionauth
+DATABASE_PASSWORD=hkaLBMBRVnyYeYeq=3W11w2e4Avpy0Wd503s3
+FUSIONAUTH_APP_MEMORY=512M
+FUSIONAUTH_APP_RUNTIME_MODE=development
+OPENSEARCH_JAVA_OPTS="-Xms512m -Xmx512m"
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+```
+Save the file.
-Since there are not any changes to the configuration files, we use the same CloudWatch-config.json, Dockerfile and docker-compose.yml file from our on-prem docker example [Set Up A Collector To Receive Data From FusionAuth](#set-up-a-collector-to-receive-data-from-fusionauth).
-Copy the FusionAuth files over from that working directory using SCP to the EC2 instance using the same .pem file and the folder we created for the Fusionauth project.
+Since there are no changes to the configuration files, you can use the same `cloudwatch-config.json`, Dockerfile, and `docker-compose.yml` files from the on-prem Docker example we used to