This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

CloudWatch

Axoflow can collect data from your Amazon CloudWatch. At a high level, the process looks like this:

  • Deploy an Axoflow Cloud Connector that will collect the data from your CloudWatch. Axoflow Cloud Connector is a simple container that you can deploy into AWS, another cloud provider, or on-prem.
  • The connector forwards the collected data to the OpenTelemetry connector of an AxoRouter instance. This AxoRouter can be deployed within AWS, another cloud provider, or on-prem.
  • Configure a Flow on Axoflow Console that processes and routes the collected data to your destination (for example, Splunk or another SIEM).

Prerequisites

  • An AWS account with an active subscription.
  • A virtual machine or Kubernetes node running to deploy Axoflow Cloud Connector on.
  • An AxoRouter instance that can receive data from the connector. Verify that it has an OpenTelemetry Connector (it’s enabled by default).

  • You know the IP address the AxoRouter. To find it:

    1. Open the Axoflow Console.
    2. Select the Hosts or the Topology page.
    3. Click on AxoRouter instance that is going to receive the logs.
    4. Check the Networks > Address field.
  • The Axoflow Cloud Connector must be able to access the AxoRouter on the port the OpenTelemetry Connector is listening on (by default, port 4317). Depending on where the Axoflow Cloud Connector and AxoRouter are deployed, you might need to adjust firewall and ingress/egress rules in your environment.
  • Depending on how you want to authenticate Axoflow Cloud Connector, you’ll need an AWS_PROFILE or AWS access keys.

Steps

To collect data from AWS CloudWatch, complete the following steps.

  1. Deploy an Axoflow Cloud Connector.

    1. Access the Kubernetes node or virtual machine where you want to deploy Axoflow Cloud Connector.

    2. Set the following environment variable to the IP address of the AxoRouter where you want to forward the data from CloudWatch. This IP address must be accessible from the connector. You can find the IP address of AxoRouter on the Hosts > AxoRouter > Overview page.

      export AXOROUTER_ENDPOINT=<AxoRouter-IP-address>

    3. (Optional) By default, the connector stores positional and other persistence-related data in the /etc/axoflow-otel-collector/storage directory. In case you want to use a different directory, set the STORAGE_DIRECTORY environment variable.

    4. Configure the authentication that the Axoflow Cloud Connector will use to access CloudWatch. Set the environment variables for the authentication method you want to use.

      • AWS Profile with a configuration file: Set the region and the AWS_PROFILE

        export AWS_PROFILE=""
export AWS_REGION=""

      • AWS Credentials: To use AWS access keys, set an access key and a matching secret.

        export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_REGION=""

      • EC2 instance profile:

        export AWS_REGION=""

    5. Deploy the Axoflow Cloud Connector. The exact command depends on the authentication method:

      • AWS Profile with a configuration file: Set the region and the AWS_PROFILE

        docker run --rm \
-e AWS_PROFILE="${AWS_PROFILE}" \
-e AWS_REGION="${AWS_REGION}" \
-e AWS_SDK_LOAD_CONFIG=1 \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
-v "${HOME}/.aws:/cloudconnectors/.aws:ro" \
ghcr.io/axoflow/axocloudconnectors:latest

      • AWS Credentials: To use AWS access keys, set an access key and a matching secret.

        docker run --rm \
-e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
-e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
-e AWS_REGION="${AWS_REGION}" \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
ghcr.io/axoflow/axocloudconnectors:latest

      • EC2 instance profile:

        docker run --rm \
-e AWS_REGION="${AWS_REGION}" \
-e AXOROUTER_ENDPOINT="${AXOROUTER_ENDPOINT}" \
-e STORAGE_DIRECTORY="${STORAGE_DIRECTORY}" \
ghcr.io/axoflow/axocloudconnectors:latest

      The Axoflow Cloud Connector starts forwarding logs to the AxoRouter instance.

  2. Add the appliance to Axoflow Console.

    1. Open the Axoflow Console and select Topology.
    2. Select + > Source.
    3. Select AWS CloudWatch.
    4. Enter the IP address and the FQDN of the Axoflow Cloud Connector instance.
    5. Select Create.

  3. Create a Flow to route the data from the AxoRouter instance to a destination. You can use the Labels of this source to select messages from this source.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label value
vendor amazon
product aws-cloudwatch
format otlp

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype index
aws:cloudwatchlogs aws-activity