})
+
+**Amazon Overview**
+
+[Amazon Web Services (AWS)](https://aws.amazon.com/) provides secure, scalable cloud computing services and solutions. The Sumo Logic app for Amazon Overview gives you a unified view of your entire AWS infrastructure by aggregating key metrics and logs from multiple AWS services into consolidated dashboards.
+
+The Sumo Logic Amazon Overview app dashboards provide visibility into your overall AWS environment:
+* Monitor activity across all AWS services, including resource activity and geographic distribution of incoming requests.
+* Track performance metrics for Application Load Balancer (ALB), Classic Load Balancer (ELB), and Network Load Balancer (NLB), including requests served, errors, healthy/unhealthy hosts, and TLS negotiation errors.
+* View EC2 CPU utilization and free memory metrics.
+* Monitor RDS CPU utilization and freeable memory.
+* Track ElastiCache CPU utilization and freeable memory.
+* View Lambda invocations and errors.
+* Monitor DynamoDB requests by table and errors.
+* Track API Gateway requests by API name and errors.
+* Monitor SNS notifications delivered and failed.
+* Track SQS messages received and empty receives.
+* View ECS average CPU and memory utilization.
+
+## Installing the Amazon Overview app
+
+To install the app:
+
+1. Select **App Catalog**.
+1. In the 🔎 **Search Apps** field, run a search for your desired app, then select it.
+1. Click **Install App**.
+ :::note
+ Sometimes this button says **Add Integration**.
+ :::
+1. Click **Next**.
+1. Look for the dialog confirming that your app was installed successfully.})
+
+**Post-installation**
+
+Once your app is installed, it will appear in your **Personal** folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.
+
+## Viewing the Amazon Overview dashboards
+
+The Sumo Logic app for Amazon Overview provides preconfigured dashboards that give you a unified view of your AWS infrastructure. These dashboards aggregate key metrics and logs from multiple AWS services, helping you monitor performance, track resource utilization, and identify issues across your entire AWS environment.
+
+### AWS Account Overview
+
+The **Amazon Overview - AWS Account Overview** dashboard provides a comprehensive view of your AWS account activity and resource performance across all services.
+
+Use this dashboard to:
+* Get a high-level view of your entire AWS infrastructure from a single dashboard.
+* Monitor incoming activity locations and AWS resource activity.
+* Track load balancer performance, including requests served, errors, and active connections across ALB, ELB, and NLB.
+* Monitor compute resource utilization for EC2, ECS, and Lambda.
+* View database performance metrics for RDS, DynamoDB, and ElastiCache.
+* Track messaging service health for SNS and SQS.
+* Monitor API Gateway requests and errors.
+
+
+
+### AWS Region Overview
+
+The **Amazon Overview - AWS Region Overview** dashboard provides detailed information about your AWS infrastructure filtered by region.
+
+Use this dashboard to:
+* View AWS resource activity and performance metrics for a specific region.
+* Compare service performance across different regions.
+* Identify region-specific issues with load balancers, compute, databases, or messaging services.
+* Monitor regional resource utilization trends.
+
+
+
+## Uninstalling the Amazon Overview app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+
+
+## Create monitors for AWS API Gateway app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+})
+
### Response Analysis
@@ -183,7 +156,7 @@ Use this dashboard to:
* Monitor incoming client locations for all 5XX, 4XX, and 3XX error responses.
* Quickly correlate error responses using load balancer access logs and AWS CloudWatch metrics to determine the possible cause for failures and decide corrective actions.
-})
+
### Target Group Response Analysis
@@ -193,7 +166,7 @@ Use this dashboard to:
* Monitor trends of all response codes for your target groups by LoadBalancer, Target Group, and availability zones.
* Correlate response code trends across load balancer access logs and CloudWatch metrics to determine the root cause for failures.
-})
+
### Latency Overview
@@ -203,7 +176,7 @@ Use this dashboard to:
* Monitor response times by load balancer, target group, and availability zone.
* Monitor client latency and processing times for target groups.
-})
+
### Latency Details
@@ -212,7 +185,7 @@ The **AWS Application Load Balancer - Latency Details** dashboard provides insig
Use this dashboard to:
* Troubleshoot load balancer performance through detailed views across client, request processing, and response time latencies.
-})
+
### Connection and Host Status
@@ -222,7 +195,7 @@ Use this dashboard to:
* Monitor active connections, new connections, rejected connections, and connection errors for the load balancer.
* Monitor healthy and unhealthy host counts by the load balancer, target group, and availability zone across your infrastructure.
-})
+
### Requests and Processed Bytes
@@ -232,7 +205,7 @@ Use this dashboard to:
* Monitor client request load, network traffic, and processed bytes to determine how to best configure load balancers for optimal performance.
* Determine how to best allocate backend resources and target groups based on load.
-})
+
### Threat Intel
@@ -242,7 +215,7 @@ Use this dashboard to:
* Identify known malicious IPs that access your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward.
* Monitor the malicious confidence level for all incoming malicious IP addresses the threats.
-})
+
### CloudTrail Audit
@@ -254,4 +227,34 @@ Use this dashboard to:
* Investigate specific error events, including their details, frequency, and associated users, enabling faster troubleshooting and resolution of issues.
* Identify the most common error types and the users experiencing the highest failure rates, facilitating targeted improvements and user support.
-})
+
+
+## Create monitors for AWS Application Load Balancer app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+})
+
### Response Analysis
@@ -183,7 +156,7 @@ Use this dashboard to:
* Monitor incoming client locations for all 5XX, 4XX, and 3XX error responses.
* Quickly correlate error responses using load balancer access logs and AWS CloudWatch metrics to determine the possible cause for failures and decide corrective actions.
-})
+
### Backend Response Analysis
@@ -194,7 +167,7 @@ Use this dashboard to:
* Monitor trends of all response codes for your backend servers by LoadBalancer and availability zones.
* Correlate response code trends across load balancer access logs and CloudWatch metrics to determine the root cause for failures.
-})
+
### Latency Overview
@@ -204,7 +177,7 @@ Use this dashboard to:
* Monitor response times by load balancer, and availability zone.
* Monitor client latency and processing times for backend servers.
-})
+
### Latency Details
@@ -213,7 +186,7 @@ The **The AWS Classic Load Balancer - Latency Details** dashboard provides insig
Use this dashboard to troubleshoot load balancer performance via detailed views across client, request processing, and response time latencies.
-})
+
### Connection and Host Status
@@ -223,7 +196,7 @@ Use this dashboard to:
* Monitor active connections, new connections, rejected connections, and connection errors for load balancers.
* Monitor healthy and unhealthy host counts by the load balancer and availability zone across your infrastructure.
-})
+
### Requests and Processed Bytes
@@ -233,7 +206,7 @@ Use this dashboard to:
* Monitor client request load, network traffic, and processed bytes to determine how to configure load balancers for optimal performance best.
* Determine how to allocate best backend resources based on load.
-})
+
### Threat Intel
@@ -243,7 +216,7 @@ Use this dashboard to:
* Identify known malicious IPs that are accessing your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward.
* Monitor malicious confidence level for all incoming malicious IP addresses posing the threats.
-})
+
### CloudTrail Audit
@@ -255,4 +228,35 @@ Use this dashboard to:
* Investigate specific error events, including their details, frequency, and associated users, enabling faster troubleshooting and resolution of issues.
* Identify the most common error types and the users experiencing highest failure rates, facilitating targeted improvements and user support.
-})
\ No newline at end of file
+
+
+## Create monitors for AWS Classic Load Balancer app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the “**tablename**” field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields.md#manage-fields). - - -### Field Extraction Rule(s) - -Create Field Extraction Rule for CloudTrail Logs. Learn how to create Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). - -```sql -Rule Name: AwsObservabilityDynamoDBCloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): -account=* eventname eventsource "dynamodb.amazonaws.com" -Parse Expression: -| json "eventSource", "awsRegion", "requestParameters.tableName", "recipientAccountId" as eventSource, region, tablename, accountid nodrop -| where eventSource = "dynamodb.amazonaws.com" -| "aws/dynamodb" as namespace -| tolowercase(tablename) as tablename -| fields region, namespace, tablename, accountid -``` - - ### Centralized AWS CloudTrail Log Collection In case you have a centralized collection of CloudTraillogs and are ingesting them from all accounts into a single Sumo Logic CloudTraillog source, create following Field Extraction Rule to map proper AWS account(s) friendly name/alias. Create it if not already present / update it as required. @@ -158,10 +134,21 @@ Enter a parse expression to create an “account” field that maps to the alias Now that you have set up a collection for **Amazon DynamoDB**, install the Sumo Logic app to use the pre-configured [dashboards](#viewing-amazon-dynamodb-dashboards) that provide visibility into your environment for real-time analysis of overall usage. -import AppInstall from '../../reuse/apps/app-install.md'; +import AppInstall from '../../reuse/apps/app-install-v2.md';
})
+
### Capacity Planning
@@ -190,7 +177,7 @@ Use this dashboard to:
* Monitor AWS account level maximum allocations across reading and writing capacities.
* Monitor resource utilization using trend panels for reading and write capacity, throttled read and write requests, as well as read and write throttle events for DynamoDB throughout your infrastructure.
-})
+
### Latency and Errors
@@ -201,7 +188,7 @@ Use this dashboard to:
* Quickly identify the number of conditional checks that fail, and transaction conflicts for DynamoDB
* Monitor resource utilization using trend panels for latencies and errors for DynamoDB
-})
+
### Events
@@ -212,7 +199,7 @@ Use this dashboard to:
* Monitor DynamoDB activities and ensure they are in line with expectations.
* Monitor different types of table events, such as create, update, and describe tables.
* Quickly identify the top DynamoDB related errors
-})
+
### Threat Intel
@@ -222,4 +209,36 @@ Use this dashboard to:
* Identify malicious IPs performing operations on DynamoDB tables using Sumo Logic Threat Intel.
-})
\ No newline at end of file
+
+
+## Create monitors for Amazon DynamoDB app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the “**instanceid**” field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields.md#manage-fields). - - -### CloudTrail Field Extraction Rule - -```sql -Rule Name: AwsObservabilityEC2CloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): account=* eventname eventsource "ec2.amazonaws.com" -``` - - -**Parse Expression** - -```sumo -| json "eventSource", "awsRegion", "requestParameters", "responseElements", "recipientAccountId" as eventSource, region, requestParameters, responseElements, accountid nodrop -| where eventSource = "ec2.amazonaws.com" -| "aws/ec2" as namespace -| json field=requestParameters "instanceType", "instancesSet", "instanceId", "DescribeInstanceCreditSpecificationsRequest.InstanceId.content" as req_instancetype, req_instancesSet, req_instanceid_1, req_instanceid_2 nodrop -| json field=req_instancesSet "item", "items" as req_instancesSet_item, req_instancesSet_items nodrop -| parse regex field=req_instancesSet_item "\"instanceId\":\s*\"(?
+
### Summary (CloudWatch Metrics)
@@ -250,7 +225,7 @@ Use this dashboard to:
* Observe Instance Disk Store (Disk Read/Write - Bytes & ops) for EC2 instance.
* Monitor Network usage metrics (Network in/out - Byes & packets) for EC2 instance
-
+
### Events
@@ -263,7 +238,7 @@ Use this dashboard to:
* Monitor top IAM Users, Assumed Role Users, and User agents
* Monitor distribution of Successful and failed events with the list of latest events.
-
+
### CPU (CloudWatch Metrics)
@@ -274,7 +249,7 @@ Use this dashboard to:
* Observe CPU Credits metrics (Usage and balance) over time.
* Identify CPU Surplus Credits (Charged and Balance) over time.
-
+
### EBS (CloudWatch Metrics)
@@ -285,7 +260,7 @@ Use this dashboard to:
* Monitor EBS read and write ops over time
* EBS IO balance and Byte Balance % metric over time for Ec2 instances.
-
+
### Disk (CloudWatch Metrics)
@@ -296,7 +271,7 @@ Use this dashboard to:
* Monitor instance store - Disk metrics like Disk read/write Bytes and Byte rate
* Monitor instance store - Disk netrucs like Disk read/write Operations and Operation rate.
-
+
### Network (CloudWatch Metrics)
@@ -307,7 +282,7 @@ Use this dashboard to:
* Monitor imported network metrics like - Byte rate for input and out put and Bytes going in and out of Ec2 instances
* Observe network metrics for Ec2 for packet in/out and rate of the packets.
-
+
### Status Check (CloudWatch Metrics)
@@ -318,4 +293,35 @@ Use this dashboard to:
* Monitor if the instance has passed the status check at last minute
* Monitor if an instance has passed the system status check at last minute
-
+
+
+## Create monitors for AWS EC2 app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+})
+
### AWS EC2 - Summary (Host OS Metrics)
@@ -150,7 +150,7 @@ Use this dashboard to:
* Determine if an instance needs to be resized based on utilization.
* Identify potential infrastructure issues by identifying deviations in trends and monitoring.
-})
+
### AWS EC2 - CPU
@@ -161,7 +161,7 @@ Use this dashboard to:
* Quickly identify if high CPU utilization for an EC2 instance is potentially causing a production issue.
* Determine how CPU cycles are being spent across CPU user time, system time, and IO wait time.
-})
+
### AWS EC2 - Memory (Host OS Metrics)
@@ -172,7 +172,7 @@ Use this dashboard to:
* Quickly identify if high memory utilization for an EC2 instance is potentially causing a production issue
* Determine how memory is being used across buffers and cache memory.
-})
+
### AWS EC2 - Disk (Host OS Metrics)
@@ -184,7 +184,7 @@ Use this dashboard to:
* Determine which directories have the most disk usage.
* Determine the performance of your storage by monitoring disk read/write rates.
-})
+
### AWS EC2 - Network (Host OS Metrics)
@@ -195,7 +195,7 @@ Use this dashboard to:
* Quickly identify if traffic sent and received rates for an EC2 instance is potentially causing a production issue.
* Determine if any improvements need to be made to your AWS networking infrastructure for optimal performance.
-})
+
### AWS EC2 - TCP (Host OS Metrics)
@@ -206,4 +206,4 @@ Use this dashboard to:
* Quickly identify if TCP traffic for an EC2 instance is potentially causing a production issue.
* Identify if any improvements need to be made to optimize TCP traffic by analyzing various TCP connection states.
-})
+
diff --git a/docs/integrations/amazon-aws/elastic-container-service-container-insights-cloudwatch.md b/docs/integrations/amazon-aws/elastic-container-service-container-insights-cloudwatch.md
index 409a7e0533..51e8a528a5 100644
--- a/docs/integrations/amazon-aws/elastic-container-service-container-insights-cloudwatch.md
+++ b/docs/integrations/amazon-aws/elastic-container-service-container-insights-cloudwatch.md
@@ -12,10 +12,10 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
Amazon Elastic Container Service (Amazon ECS) is a container management service that allows you to manage Docker containers on a cluster of Amazon EC2 instances. The Sumo Logic app for Amazon ECS provides preconfigured searches and Dashboards that allow you to monitor various metrics (CPU and Memory Utilization, CPU and Memory Reservation) across ECS clusters and services. The app also monitors API calls made by or on behalf of Amazon ECS in your AWS account.
We offer two different ECS versions, which have separate data collection steps:
-* **[Collect Logs and Metrics for ECS](/docs/integrations/amazon-aws/elastic-container-service)**. This version collects [ECS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/available-metrics.html) and [ECS Events using AWS CloudTrail](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail). For instructions on collecting this data, refer to the [Amazon Elastic Container Service (ECS)](/docs/integrations/amazon-aws/elastic-container-service/).
-* **[Collect Logs, Metrics (Container Insights+CloudWatch) and Traces for ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail)**. This version collects [ECS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-metrics.html#available_cloudwatch_metrics), [Container Insights Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html), [ECS Events using AWS CloudTrail](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail), Application Logs and Traces. Metrics collected by Container Insights are charged as custom metrics. For more information about CloudWatch pricing, see[ Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/). This solution enables you to monitor both ec2 and fargate based ecs deployments.
+* **[Collect Logs and Metrics for ECS](/docs/integrations/amazon-aws/elastic-container-service)**. This version collects [ECS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/available-metrics.html) and [ECS Events using AWS CloudTrail](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail). For instructions on collecting this data, refer to the [Amazon Elastic Container Service (ECS)](/docs/integrations/amazon-aws/elastic-container-service/).
+* **[Collect Logs, Metrics (Container Insights+CloudWatch) and Traces for ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail)**. This version collects [ECS CloudWatch Metrics](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-metrics.html#available_cloudwatch_metrics), [Container Insights Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html), [ECS Events using AWS CloudTrail](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/logging-using-cloudtrail.html#service-name-info-in-cloudtrail), and Application Logs and Traces. Metrics collected by Container Insights are charged as custom metrics. For more information about CloudWatch pricing, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/). This solution enables you to monitor both ec2 and fargate based ecs deployments.
-This page has instructions for collecting logs and metrics for the Amazon ECS app. It uses the following data:
+This page has instructions for collecting logs and metrics for the Amazon ECS app. It uses the following data:
* CloudWatch Metrics
* Container Insights Metrics
* AWS CloudTrail Events
@@ -23,11 +23,11 @@ This page has instructions for collecting logs and metrics for the Amazon ECS ap
* ECS Application Logs
* Traces
-## Creating Fields in Field SchemaÂ
+## Creating Fields in Field Schema
-1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**.[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. +1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. 1. Search for the following fields: `account`, `namespace`, `region` field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields). +1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields). ## Creating Field Extraction Rule(s) @@ -58,7 +58,7 @@ Parse Expression: | fields region, namespace, accountid ``` -## Collect Metrics for Amazon ECS +## Collect Metrics for Amazon ECS Sumo Logic supports collecting metrics using two source types: @@ -69,44 +69,44 @@ Sumo Logic supports collecting metrics using two source types: **Metadata**: Add an **account** field to the source and assign it a value which is a friendly name / alias to your AWS account from which you are collecting metrics. Metrics can be queried via the `account field`. -### Collect Container Insights Metrics for Amazon ECS +### Collect Container Insights Metrics for Amazon ECS -When you enable Container Insights, CloudWatch collects [additional metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html) in the `ECS/ContainerInsights` namespace that describe the status of your ECS tasks, resource usage metrics and the number of running services, containers, and deployments. +When you enable Container Insights, CloudWatch collects [additional metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html) in the `ECS/ContainerInsights` namespace that describe the status of your ECS tasks, resource usage metrics and the number of running services, containers, and deployments. In this step, you'll enable Container Insights and set up a collection to ingest those metrics. -1. Enable Container Insights by referring to the AWS [docs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html) by using cli or AWS console. -2. If Cloudwatch source is selected for collecting metrics, update the source created in "Collect Metrics for Amazon ECS" section to include `ECS/ContainerInsights` in custom namespaces field; or
})
+1. Enable Container Insights by referring to the AWS [docs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html) by using cli or AWS console.
+2. If Cloudwatch source is selected for collecting metrics, update the source created in "Collect Metrics for Amazon ECS" section to include `ECS/ContainerInsights` in custom namespaces field.
3. If Kinesis Firehose source is selected for collecting metrics, update the [Metrics Stream](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source/#include-metrics-by-namespace) to include `ECS/ContainerInsights` in custom namespaces field.
### Collect ECS events using CloudTrail
-To set up an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source) to collect ECS events:
+To set up an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source) to collect ECS events:
-1. [Configure CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-a-trail-using-the-console.html "http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-a-trail-using-the-console.html") in your AWS account. This will create an S3 bucket, if you so choose.
+1. [Configure CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-a-trail-using-the-console.html) in your AWS account. This will create an S3 bucket, if you so choose.
2. Grant Sumo Logic access to the Amazon S3 bucket.
3. Confirm that logs are being delivered to the Amazon S3 bucket.
4. [**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic main menu select **Data Management**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. -5. Navigate to the hosted collector you configured above and select **Add > Add Source**. -6. Select AWS CloudTrail source. -7. **Name.** Enter a name to display the new Source. -8. **Description.** Enter an optional description. -9. **S3 Region.** Select the Amazon Region for your ECS S3 bucket. -10. **Bucket Name.** Enter the exact name of your ECS S3 bucket. -11. **Path Expression.** Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (`*`) in this string. (DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions).) -12. **Source Category.** Enter `aws/observability/cloudtrail/logs`. -13. **Fields**. Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the "account field". -14. **AWS Access**. There are two options for AWS access: - - Role-based access. This is the preferred method. You can use this option if you granted access to Amazon ECS as described in [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product).  For Role-based access enter the Role ARN that was provided by AWS after creating the role. - - For Key access enter the Access Key ID and Secret Access Key. For more information, see [Managing Access Keys for IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in AWS help. -15. **Scan Interval.** Use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data. +5. Navigate to the hosted collector you configured above and select **Add > Add Source**. +6. Select AWS CloudTrail source. +7. **Name.** Enter a name to display the new Source. +8. **Description.** Enter an optional description. +9. **S3 Region.** Select the Amazon Region for your ECS S3 bucket. +10. **Bucket Name.** Enter the exact name of your ECS S3 bucket. +11. **Path Expression.** Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (`*`) in this string. (DO NOT use a leading forward slash. See [Amazon Path Expressions](/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions).) +12. **Source Category.** Enter `aws/observability/cloudtrail/logs`. +13. **Fields**. Add an **account** field and assign it a value that is a friendly name/alias to your AWS account from which you are collecting logs. Logs can be queried via the "account field". +14. **AWS Access**. There are two options for AWS access: + - Role-based access. This is the preferred method. You can use this option if you granted access to Amazon ECS as described in [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product). For role-based access enter the role ARN that was provided by AWS after creating the role. + - For key access enter the Access Key ID and Secret Access Key. For more information, see [Managing Access Keys for IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in AWS help. +15. **Scan Interval.** Use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data. 16. **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box. 17. **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown. 18. **Timestamp Format.** Select **Automatically detect the format**. 19. **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**. -20. Click **Save**. +20. Click **Save**. -## Centralized AWS CloudTrail Log Collection +## Centralized AWS CloudTrail Log Collection In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create or update the following Field Extraction Rule to map proper AWS account(s) friendly name/alias: @@ -130,40 +130,40 @@ Enter a parse expression to create an `account` field that maps to the alias you | fields account ``` -## Collect Container Insights performance log events for Task and Container +## Collect Container Insights performance log events for Task and Container -Container Insights collects data as performance log events using [embedded metric format](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Embedded_Metric_Format.html). More details [here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html). +Container Insights collects data as performance log events using [embedded metric format](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Embedded_Metric_Format.html). More details [here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html). In this step, you'll create a source to collect Task and Container level performance events, which are not converted as CloudWatch metrics. -1. Configure an [AWS Kinesis Firehose for Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source). Add the fields account, region and namespace as shown below.
})
-2. Copy the `KinesisLogsRoleARN` and `KinesisLogsDeliveryStreamARN` values from the outputs tab of Cloudformation. })
-3. Go to your CloudWatch > Log Groups and click on your CloudWatch log group `/aws/ecs/containerinsights/})
-4. Click on Create and in opened window fill in the below parameters
- 1. Get the delivery stream name from the arn copied in step 2 and fill in the KinesisLogsDeliverStream field.
+1. Configure an [AWS Kinesis Firehose for Logs Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source). Add the fields account, region and namespace as shown below.
+2. Copy the `KinesisLogsRoleARN` and `KinesisLogsDeliveryStreamARN` values from the outputs tab of CloudFormation.
+3. Go to your **CloudWatch > Log Groups** and click on your CloudWatch log group `/aws/ecs/containerinsights/
+4. Click on Create and in opened window fill in the below parameters:
+ 1. Get the delivery stream name from the arn copied in step 2 and fill in the **KinesisLogsDeliverStream** field.
2. Get the role name from the arn copied in step 2 and fill in the role.
3. Specify the filter pattern `{ $.Type = "Container" || $.Type = "Task" }`.
4. Specify the filter name.
- 5. Test the pattern and click Start streaming. })
+ 5. Test the pattern and click **Start streaming**.
## Collect Application Logs for Amazon ECS
-Set up the Container logs collection using the steps in following [docs](/docs/send-data/collect-from-other-data-sources/aws-fargate-log-collection). You can use awsfirelens driver and avoid sending logs to CloudWatch log groups. Put account, region and namespace fields also while configuring the source.
+Set up the Container logs collection using the steps in the following [docs](/docs/send-data/collect-from-other-data-sources/aws-fargate-log-collection). You can use AWS FireLens driver and avoid sending logs to CloudWatch log groups. Put account, region, and namespace fields also while configuring the source.
If your logs are already going to CloudWatch logs groups then you can create a subscription filter to subscribe the log groups to the delivery stream created in the previous step.
:::note
-Application logs do not contain regions. You have to configure a new Sumo Logic source for each region if you want to avoid creating multiple sources, then you will have to put the [X-SUMO-Fields](/docs/manage/fields#x-sumo-fields-http-header) header inside logConfiguration by creating a custom fluent bit image and specify a custom fluent bit configuration.
+Application logs do not contain regions. You have to configure a new Sumo Logic source for each region if you want to avoid creating multiple sources, then you will have to put the [X-SUMO-Fields](/docs/manage/fields#x-sumo-fields-http-header) header inside logConfiguration by creating a custom fluent bit image and specify a custom fluent bit configuration.
-For more information, see, [Create a custom Fluent Bit image](/docs/send-data/collect-from-other-data-sources/aws-fargate-log-collection).
+For more information, see [Create a custom Fluent Bit image](/docs/send-data/collect-from-other-data-sources/aws-fargate-log-collection).
:::
## Collect Traces for Amazon ECS
-To set up collection for traces:
+To set up collection for traces:
-1. Create a HTTP Traces source by referring to the [docs](/docs/apm/traces/get-started-transaction-tracing/http-traces-source).
-2. Install OpenTelemetry Collector by referring to the [docs](/docs/apm/traces/get-started-transaction-tracing/set-up-traces-collection-aws-environments).Â
+1. Create a HTTP Traces source by referring to the [docs](/docs/apm/traces/get-started-transaction-tracing/http-traces-source).
+2. Install OpenTelemetry Collector by referring to the [docs](/docs/apm/traces/get-started-transaction-tracing/set-up-traces-collection-aws-environments).
### Sample log messages
@@ -429,7 +429,7 @@ To set up collection for traces:
-### Sample query
+### Sample query
```sumo title="Deleted Resources Over Time"
_sourceCategory=ecs* (DeleteCluster or DeleteService or DeregisterContainerInstance or DeregisterTaskDefinition or StopTask) and !(InternalFailure)
@@ -443,43 +443,43 @@ _sourceCategory=ecs* (DeleteCluster or DeleteService or DeregisterContainerInsta
| transpose row _timeslice column resource_type
```
-### Install the Sumo Logic appÂ
+## Installing the Amazon ECS app
-Now that you have set up a collection for Amazon ECS with Container Insights and CloudWatch, install the Sumo Logic app for Amazon ECS with Container Insights and CloudWatch to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage.
+Now that you have set up a collection for Amazon ECS with Container Insights and CloudWatch, install the Sumo Logic app for Amazon ECS with Container Insights and CloudWatch to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage.
-import AppInstall from '../../reuse/apps/app-install.md';
+import AppInstall2 from '../../reuse/apps/app-install-v2.md';
-
+
### Cluster Performance Monitoring
-The **Amazon ECS - Cluster Performance Monitoring** dashboard provides detailed information on the performance of your cluster, which you can use to fine-tune your cluster.
+The **Amazon ECS - Cluster Performance Monitoring** dashboard provides detailed information on the performance of your cluster, which you can use to fine-tune your cluster.
Use this dashboard to:
- Identify patterns and outliers over time.
-- Monitor the performance of your cluster and use linked dashboards to drill down further into the root cause.Â
+- Monitor the performance of your cluster and use linked dashboards to drill down further into the root cause.
-
+
### Cluster Resource Reservation
-The **Amazon ECS - Cluster Resource Reservation** dashboard provides information on resource reservations which can be used to set the right resource limits.
+The **Amazon ECS - Cluster Resource Reservation** dashboard provides information on resource reservations which can be used to set the right resource limits.
-Use this dashboard to:Â
+Use this dashboard to:
- Identify the right limits for CPU and memory reservations.
@@ -487,51 +487,51 @@ Use this dashboard to:Â
### Container Logs
-The **Amazon ECS - Container Logs** dashboard provides detailed information on what is happening (errors or recent events) in a container.Â
+The **Amazon ECS - Container Logs** dashboard provides detailed information on what is happening (errors or recent events) in a container.
Use this dashboard to:
- View recent logs of your container.
- Identify common errors and abnormal spikes in errors.
-
+
### Container Overview
-The **Amazon ECS - Container Overview** dashboard provides a high-level view of the health of the container along with details on the utilized resources.
+The **Amazon ECS - Container Overview** dashboard provides a high-level view of the health of the container along with details on the utilized resources.
Use this dashboard to:
- Track the container status and identify the container details like its task definition, image, account, etc.
-- Monitor CPU, memory, disk, and network activity of your container.Â
+- Monitor CPU, memory, disk, and network activity of your container.
-
+
### EC2 LaunchType
-The **Amazon ECS - EC2 LaunchType** dashboard provides a high-level view of the health of the cluster along with details on the utilized resources for EC2 launch types.
+The **Amazon ECS - EC2 LaunchType** dashboard provides a high-level view of the health of the cluster along with details on the utilized resources for EC2 launch types.
Use this dashboard to:
- Monitor CPU and memory utilization of clusters with EC2 launch type.
- View the number of clusters and tasks with EC2 launch type.
-
+
### Service Overview
-The **Amazon ECS - Service Overview** dashboard provides a high-level view of the health of the services along with details on the utilized resources.
+The **Amazon ECS - Service Overview** dashboard provides a high-level view of the health of the services along with details on the utilized resources.
Use this dashboard to:
- Monitor the number of running, desired, and pending tasks.
- Identify services with abnormal CPU, network, memory, and disk activity.
-
+
### Service Performance Monitoring
-The **Amazon ECS - Service Performance Monitoring** dashboard provides detailed information on the performance of your services which you can use to fine-tune your cluster.
+The **Amazon ECS - Service Performance Monitoring** dashboard provides detailed information on the performance of your services which you can use to fine-tune your cluster.
Use this dashboard to:
@@ -539,22 +539,22 @@ Use this dashboard to:
- Track the running, pending, and desired tasks trend.
- Monitor the performance of your services and use linked dashboards to drill down further into the root cause.
-
+
### Tasks Definition Family Overview
-The **Amazon ECS - Tasks Definition Family Overview** dashboard provides a high-level view of the health of the tasks belonging to a particular task definition family and details on the utilized resources.
+The **Amazon ECS - Tasks Definition Family Overview** dashboard provides a high-level view of the health of the tasks belonging to a particular task definition family and details on the utilized resources.
Use this dashboard to:
- View the number of tasks running with a single task definition family.
- Monitor CPU and memory usage by task definition family.
-
+
### Tasks Overview
-The **Amazon ECS - Tasks Overview** dashboard provides a high-level view of the health of the task along with details on the utilized resources and where they are running.
+The **Amazon ECS - Tasks Overview** dashboard provides a high-level view of the health of the task along with details on the utilized resources and where they are running.
Use this dashboard to:
@@ -562,48 +562,73 @@ Use this dashboard to:
- Track Network Errors and Dropped Packets
- Monitor CPU, memory, disk, and network performance by task instances.
-
+
### Tasks Definition Family Performance Monitoring
-The **Amazon ECS - Tasks Definition Family Performance Monitoring** dashboard provides detailed information on the performance of your tasks which you can use to fine-tune your cluster.
+The **Amazon ECS - Tasks Definition Family Performance Monitoring** dashboard provides detailed information on the performance of your tasks which you can use to fine-tune your cluster.
Use this dashboard to:
-- Identify patterns and outliers over time for each of the resource metrics like CPU, memory, network, and disk.
-- Monitor the performance of your tasks and use linked dashboards to drill down further into the root cause.
+- Identify patterns and outliers over time for each of the resource metrics like CPU, memory, network, and disk.
+- Monitor the performance of your tasks and use linked dashboards to drill down further into the root cause.
-
+
### Task Definition Family Resource Reservation
-The **Amazon ECS - Task Definition Family Resource Reservation** dashboard provides information on resource reservation which can be used to set the right resource limits at the task definition level.
+The **Amazon ECS - Task Definition Family Resource Reservation** dashboard provides information on resource reservation which can be used to set the right resource limits at the task definition level.
-Use this dashboard to:Â
+Use this dashboard to:
- Identify the right limits for CPU and memory reservations.
-
+
### Fargate LaunchType
-The **Amazon ECS - Fargate LaunchType** dashboard provides a high-level view of the cluster's health along with details on the utilized resources for Fargate launch types.
+The **Amazon ECS - Fargate LaunchType** dashboard provides a high-level view of the cluster's health along with details on the utilized resources for Fargate launch types.
Use this dashboard to:
- Monitor network activity of your clusters with Fargate launch type.
- View the number of clusters and tasks with Fargate launch type.
-
+
-### Audit EventsÂ
+### Audit Events
-The **Amazon ECS - Audit Events** dashboard gives information on the type of request made to ECS, the IP making the request, who made it and when, and more.
+The **Amazon ECS - Audit Events** dashboard gives information on the type of request made to ECS, the IP making the request, who made it and when, and more.
Use this dashboard to:
- View audit trail of actions taken by a user, role, or AWS service in Amazon ECS.
-- Monitor container registration/deregistration events.
+- Monitor container registration/deregistration events.
- Identify location, IP address from where the request was made, and resource crud events over time.
-
+
+
+## Create monitors for Amazon ECS app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the following fields: `account`, `namespace`, `region` field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields). - -## Creating Field Extraction Rule(s) - -Create a Field Extraction Rule for CloudTrail Logs ([learn more](/docs/manage/field-extractions/create-field-extraction-rule)). -```sql -Rule Name: AwsObservabilityECSCloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): -account=* eventname eventsource "ecs.amazonaws.com" -Parse Expression: -| json "eventSource", "awsRegion", "requestParameters.tableName", "recipientAccountId" as eventSource, region, tablename, accountid nodrop -| where eventSource = "ecs.amazonaws.com" -| "aws/ecs" as namespace -| fields region, namespace, accountid -``` ## Collect Logs and Metrics for Amazon ECS This section has instructions for collecting logs and metrics for the Amazon ECS app. @@ -341,10 +321,24 @@ This section has instructions for collecting logs and metrics for the Amazon ECS Now that you have set up collection for Amazon ECS, install the Sumo Logic app for Amazon ECS to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. -import AppInstall from '../../reuse/apps/app-install.md'; +import AppInstall from '../../reuse/apps/app-install-v2.md';
+
### Audit Events
@@ -375,7 +369,7 @@ Use this dashboard to:
* Examine details and trends for created, updated and deleted ECS resources.
* Investigate specific container registration and deregistration events in different regions and clusters.
-
+
### Resource Utilization
@@ -390,7 +384,7 @@ Use this dashboard to:
* Identify performance bottlenecks or underutilized resources in your ECS environment.
* Compare utilization patterns between clusters and individual services to optimize resource allocation.
-
+
### Resource Reservation
@@ -406,4 +400,29 @@ Use this dashboard to:
* Compare reservation patterns between different types of resources (CPU, memory, GPU) over time.
-
+
+
+## Create monitors for Amazon ECS app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the “**cacheclusterid**” field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields.md#manage-fields). - - -### Field Extraction Rule(s) - -Create a Field Extraction Rule for CloudTrail Logs. Learn how to create a Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). - -```sql -Rule Name: AwsObservabilityElastiCacheCloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): account=* eventname eventsource "elasticache.amazonaws.com" -``` - -**Parse Expression** - -```sumo -| json "eventSource", "awsRegion", "requestParameters.cacheClusterId", "responseElements.cacheClusterId", "recipientAccountId" as eventSource, region, req_cacheClusterId, res_cacheClusterId, accountid nodrop -| where eventSource = "elasticache.amazonaws.com" -| if (!isEmpty(req_cacheClusterId), req_cacheClusterId, res_cacheClusterId) as cacheclusterid -| "aws/elasticache" as namespace -| tolowercase(cacheclusterid) as cacheclusterid -| fields region, namespace, cacheclusterid, accountid -``` - ### Centralized AWS CloudTrail Log Collection In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following Field Extraction Rule to map a proper AWS account(s) friendly name / alias. Create it if not already present / update it as required. @@ -190,10 +162,22 @@ This section has instructions for installing the Sumo Logic app for **Amazon Ela Now that you have set up a collection for **Amazon ElastiCache**, install the Sumo Logic app to use the pre-configured dashboards that provide visibility into your environment for real-time analysis of overall usage. -import AppInstall from '../../reuse/apps/app-install.md'; +import AppInstall from '../../reuse/apps/app-install-v2.md';
})
+
### Audit Event Overview
@@ -218,7 +202,7 @@ Use this dashboard to:
* Quickly identify top error codes to diagnose any outages
* Monitor trends around failed events to identify potential service disruptions that could warrant deeper investigation
-})
+
### Redis Performance Overview
@@ -227,7 +211,7 @@ Use this dashboard to:
Use this dashboard to:
* Quickly determine if your Redis database is performing as expected
-})
+
### Audit Event Details
@@ -237,7 +221,7 @@ Use this dashboard to:
* Quickly determine changes made to your ElastiCache clusters while troubleshooting production outages
* Determine if any nodes hosting your ElastiCache clusters were rebooted
-})
+
### Host Performance Details
@@ -247,7 +231,7 @@ Use this dashboard to:
* Get an at-a-glance view of the performance of all nodes within a given ElastiCache cluster
* Determine if CPU, memory, swap memory or network resources need to be scaled up or down for a given cluster or service based on utilization trends
-})
+
### Redis Performance Details
@@ -258,7 +242,7 @@ Use this dashboard to:
* Review trends around defragmentation, replication lag and bytes replicated to determine optimizations
* Quickly determine any authentication and authorization failures and grant or revoke privileges accordingly
-})
+
### Redis Command Latency
@@ -267,7 +251,7 @@ The **Amazon ElastiCache - Redis Command Latency** dashboard provides detailed i
Use this dashboard to:
* To optimize performance of your Redis clusters by monitoring latency observed across get/set operations. Latency can be high due to high CPU usage, swapping or removing cached items. Performance optimizations can therefore be made either via resource allocation or by optimizing on caching.
-})
+
### Redis Command Stats
@@ -279,4 +263,33 @@ Use this dashboard to:
If high latency commands are not being processed frequently, you will want to look into monitoring and potentially allocating more CPU resources.
-})
+
+
+## Create monitors for Amazon ElastiCache app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+})
-### Field in Field Schema
-
-1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**.[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the “**functionname**” field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields.md#manage-fields). - - -### Field Extraction Rule(s) - -Create a Field Extraction Rule for AWS Lambda. Learn how to create a Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). - - -### Cloud Trail FER - -```sql -Rule Name: AwsObservabilityFieldExtractionRule -Applied at: Ingest Time -Scope (Specific Data): account=* eventname eventsource "lambda.amazonaws.com" -``` - -```sumo title="Parse Expression" -| json "eventSource", "awsRegion", "requestParameters", "recipientAccountId" as eventSource, region, requestParameters, accountid nodrop -| where eventSource = "lambda.amazonaws.com" -| json field=requestParameters "functionName", "resource" as functionname, resource nodrop -| parse regex field=functionname "\w+:\w+:\S+:[\w-]+:\S+:\S+:(?
})
+
### Request Analysis
-**The AWS Lambda - Request Analysis** dashboard provides deeper insights into the invocations, operations, and performance of your AWS Lambda functions.
+The **AWS Lambda - Request Analysis** dashboard provides deeper insights into the invocations, operations, and performance of your AWS Lambda functions.
Use this dashboard to:
* Monitor the invocation of an AWS Lambda function against all other functions.
@@ -326,12 +295,12 @@ Use this dashboard to:
* Troubleshoot and investigate individual function requests.
* Monitor cold start duration and key operations for Lambda functions.
-})
+
### Usage Analysis
-**AWS Lambda - Usage Analysis** dashboard offers insights into function usage, including invocations, calling AWS services, user agents, IAM users, and detailed information about function callers.
+The **AWS Lambda - Usage Analysis** dashboard offers insights into function usage, including invocations, calling AWS services, user agents, IAM users, and detailed information about function callers.
:::note
This dashboard provides analysis of AWS CloudTrail Data Events. By default, AWS CloudTrail does not log data events. To enable AWS CloudTrail data events, refer to [AWS Lambda Data Event](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console)
@@ -345,7 +314,7 @@ Use this dashboard to:
* Identify top callers, top caller types.
* Monitor the invocation of an AWS Lambda function.
-})
+
### Error Analysis
@@ -362,12 +331,12 @@ Use this dashboard to:
* Monitor the trend for recursive invocation drops. This measures the number of recursive invocation attempts that were dropped to prevent potential infinite loops and unbounded recursion within Lambda functions.
* Monitor the trend for destination delivery failures. This tracks the number of times Lambda failed to deliver an asynchronous invocation result to a configured destination, such as an SNS topic, SQS queue, or EventBridge.
-})
+
### Resource Usage
-**AWS Lambda - Resource Usage** dashboard provides insights on recent AWS Lambda request details, memory usage trends, function duration, claimed concurrency, and compute usage.
+The **AWS Lambda - Resource Usage** dashboard provides insights on recent AWS Lambda request details, memory usage trends, function duration, claimed concurrency, and compute usage.
Use this dashboard to:
* Monitor the memory usage pattern of a Lambda function during its execution.
@@ -375,12 +344,12 @@ Use this dashboard to:
* Monitor the compute usage by function.
* Monitor claimed account concurrency at the account level, segmented by region.
-})
+
### Performance Trends
-**AWS Lambda - Performance Trends** dashboard displays log data analytics to provide insights on memory usage, function duration, recent request details, and compute usage.
+The **AWS Lambda - Performance Trends** dashboard displays log data analytics to provide insights on memory usage, function duration, recent request details, and compute usage.
Use this dashboard to:
* Monitor concurrent executions of an AWS Lambda function and understand trends over time.
@@ -388,15 +357,43 @@ Use this dashboard to:
* Monitor memory used by AWS Lambda functions.
* Monitor compute usage trends and predictions by AWS Lambda function in GB-Seconds.
-})
+
### Threat Intel
-**AWS Lambda - Threat Intel** dashboard provides insights into incoming requests to your AWS Lambda functions from malicious sources determined via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
+The **AWS Lambda - Threat Intel** dashboard provides insights into incoming requests to your AWS Lambda functions from malicious sources determined via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
Use this dashboard to:
* Identify known malicious IPs that are accessing your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward
* Monitor the malicious confidence level for all incoming malicious IP address threats.
-})
+
+
+
+## Create monitors for AWS Lambda app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the “**networkloadbalancer**” field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields.md#manage-fields). - -## Field Extraction Rule(s) - -Create a Field Extraction Rule for AWS Network Load Balancer Cloudtrail Logs. Learn how to create Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). +## Installing the AWS Network Load Balancer app -**AWS Network Load Balancer CloudTrail Logs** -```sql -Rule Name: AwsObservabilityNLBCloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.amazonaws.com" "2015-12-01" -``` +Now that you have set up a collection for **AWS Network Load Balancer**, install the Sumo Logic app to use the pre-configured dashboards that provide visibility into your environment for real-time analysis of overall usage. -```sumo title="Parse Expression" -json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop -| where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" -| "" as namespace -| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, networkloadbalancer1, f1 nodrop -| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, networkloadbalancer2, f1, f2 nodrop -| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace -| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace -| where namespace="aws/networkelb" or isEmpty(namespace) -| if (!isEmpty(networkloadbalancer), networkloadbalancer, if (!isEmpty(networkloadbalancer1), networkloadbalancer1, networkloadbalancer2)) as networkloadbalancer -| toLowerCase(networkloadbalancer) as networkloadbalancer -| fields region, namespace, networkloadbalancer, accountid -``` +import AppInstall from '../../reuse/apps/app-install-v2.md'; -## Metric rules +
})
+
### Active and New Flows
The **AWS Network Load Balancer - Active and New Flows** dashboard provides detailed insights for new flows, and active flows for TCP, TLS, and UDP traffic. Use this dashboard to to monitor trends around active and new flows (connections) to make sure they line up with expectations, then use this information to scale up/scale down backend hosts.
-})
+
### Host Health Status
@@ -135,7 +108,7 @@ Use this dashboard to:
* Get a quick overview of the number of healthy and unhealthy hosts.
* Monitor trends around the number of unhealthy hosts to spot potential service disruptions that could warrant deeper investigation.
-})
+
### Errors
@@ -145,7 +118,7 @@ Use this dashboard to:
* Monitor TLS handshake errors during negotiation between a client and a TLS listener, which could happen if clients are sending an incorrect cipher or are using incorrect protocols not matching the one specified in the security policy. It’s recommended to use the most recent AWS CLI client version.
* Monitor TLS handshake errors during negotiation between a TLS listener and a target. Possible causes for this error include a mismatch of ciphers or protocols.
-})
+
### Reset (RST) Packets
@@ -154,14 +127,14 @@ The **AWS Network Load Balancer - Reset (RST) Packets** dashboard provides detai
Use this dashboard to monitor the number of RST packets. A high number of reset packets could indicate connections are getting dropped and could mean a disruption in service.
-})
+
### Processed Bytes
The **AWS Network Load Balancer - Processed Bytes** dashboard provides detailed insights into the amount of bytes processed by the load balancer for total, UDP, TCP and TLS traffic. Use this dashboard to monitor trends around processed bytes to make sure they line up with expectations and then use that information to scale up or scale down backend hosts.
-})
+
### Consumed LCUs
@@ -172,7 +145,7 @@ The **AWS Network Load Balancer - Consumed LCUs** dashboard shows you the total
You pay for the number of LCUs that you use per hour.
:::
-})
+
### CloudTrail Audit
@@ -184,4 +157,34 @@ Use this dashboard to:
* Investigate specific error events, including their details, frequency, and associated users, enabling faster troubleshooting and resolution of issues.
* Identify the most common error types and the users experiencing highest failure rates, facilitating targeted improvements and user support.
-})
+
+
+## Create monitors for AWS Network Load Balancer app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+})
-### Field in Field Schema
-
-1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Fields**. You can also click the **Go To...** menu at the top of the screen and select **Fields**. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the `dbidentifier`, `proxyname` fields. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields#manage-fields). - -### Field Extraction Rule(s) - -Create a Field Extraction Rule for CloudTrail Logs. Learn how to create a Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). - -```sql -Rule Name: AwsObservabilityRdsCloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): account=* eventname eventsource "rds.amazonaws.com" -``` - -```sumo title="Parse Expression" -| json "eventSource", "awsRegion", "requestParameters", "responseElements", "recipientAccountId" as eventSource, region, requestParameters, responseElements, accountid nodrop -| where eventSource = "rds.amazonaws.com" | "aws/rds" as namespace -| json field=requestParameters "dBInstanceIdentifier", "resourceName", "dBClusterIdentifier", "dBProxyName" as dBInstanceIdentifier1, resourceName, dBClusterIdentifier1, dBProxyName1 nodrop -| json field=responseElements "dBInstanceIdentifier", "dBClusterIdentifier", "dBProxy.dBProxyName", "dBProxyTargetGroup.dBProxyName" as dBInstanceIdentifier3, dBClusterIdentifier3, dBProxyName2, dBProxyName3 nodrop -| parse field=resourceName "arn:aws:rds:*:db:*" as f1, dBInstanceIdentifier2 nodrop -| parse field=resourceName "arn:aws:rds:*:cluster:*" as f1, dBClusterIdentifier2 nodrop -| if (resourceName matches "arn:aws:rds:*:db:*", dBInstanceIdentifier2, if (!isEmpty(dBInstanceIdentifier1), dBInstanceIdentifier1, dBInstanceIdentifier3) ) as dBInstanceIdentifier -| if (resourceName matches "arn:aws:rds:*:cluster:*", dBClusterIdentifier2, if (!isEmpty(dBClusterIdentifier1), dBClusterIdentifier1, dBClusterIdentifier3) ) as dBClusterIdentifier -| if (isEmpty(dBInstanceIdentifier), dBClusterIdentifier, dBInstanceIdentifier) as dbidentifier -| tolowercase(dbidentifier) as dbidentifier -| if (!isEmpty(dBProxyName1), dBProxyName1, if (!isEmpty(dBProxyName2), dBProxyName2, dBProxyName3)) as proxyname -| tolowercase(proxyname) as proxyname -| fields region, namespace, dBInstanceIdentifier, dBClusterIdentifier, dbidentifier, proxyname, accountid -``` - ### Centralized AWS CloudTrail log collection In case you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following Field Extraction Rule to map a proper AWS account(s) friendly name/alias. Create it if not already present / update it as required. @@ -479,59 +447,34 @@ Enter a parse expression to create an “account” field that maps to the alias | fields account ``` -#### Create/Update Field Extraction Rule(s) for RDS CloudWatch logs +## Installing the RDS app +Now that you have set up a collection for **Amazon RDS**, install the Sumo Logic app to use the pre-configured [dashboards](#viewing-the-rds-dashboards) that provide visibility into your environment for real-time analysis of overall usage. -``` -Rule Name: AwsObservabilityGenericCloudWatchLogsFER -Applied at: Ingest Time -Scope (Specific Data): -account=* region=* (_sourceHost=/aws/* or _sourceHost=API*Gateway*Execution*Logs*) -Parse Expression: -if (isEmpty(namespace),"unknown",namespace) as namespace -| if (_sourceHost matches "/aws/lambda/*", "aws/lambda", namespace) as namespace -| if (_sourceHost matches "/aws/rds/*", "aws/rds", namespace) as namespace -| if (_sourceHost matches "/aws/ecs/containerinsights/*", "aws/ecs", namespace) as namespace -| if (_sourceHost matches "/aws/kinesisfirehose/*", "aws/firehose", namespace) as namespace -| if (_sourceHost matches "/aws/apigateway/*", "aws/apigateway", namespace) as namespace -| if (_sourceHost matches "API-Gateway-Execution-Logs*", "aws/apigateway", namespace) as namespace -| parse field=_sourceHost "/aws/lambda/*" as functionname nodrop | tolowercase(functionname) as functionname -| parse field=_sourceHost "/aws/rds/proxy/*" as proxyname nodrop -| parse field=_sourceHost "/aws/rds/instance/*/" as dbidentifier nodrop -| parse field=_sourceHost "/aws/rds/cluster/*/" as dbidentifier nodrop -| parse field=_sourceHost "/aws/apigateway/*/*" as apiid, stage nodrop -| parse field=_sourceHost "API-Gateway-Execution-Logs_*/*" as apiid, stage nodrop | apiid as apiName -| tolowercase(dbidentifier) as dbidentifier -| fields namespace, functionname, proxyname, dbidentifier, apiid, apiName -``` +import AppInstall from '../../reuse/apps/app-install-v2.md'; -### Metric Rules +
})
+
### CloudTrail Audit Events
@@ -558,7 +501,7 @@ Use this dashboard to:
* Monitor the most active users working on RDS infrastructure, database engines used in the infrastructure, and various events invoked on RDS clusters.
* Monitor requests from malicious IP addresses using Sumo Logic’s Threat Intel.
-})
+
### Non-Describe CloudTrail Audit Events
@@ -570,7 +513,7 @@ Use this dashboard to:
* Monitor and track snapshot-related events performed on RDS instances.
* Monitor and track changes to security groups associated with your RDS infrastructure.
-})
+
### Overview By Database Instance
@@ -580,7 +523,7 @@ Use this dashboard to:
* Quickly identify performance or resource utilization issues in your RDS clusters.
* Monitor resource utilization with trend panels for CPU usage, available memory, network receive and transmit throughput, read and write IOPS, available free storage, and database connections across your Amazon RDS clusters and database instances.
-})
+
### Performance Insights
@@ -591,7 +534,7 @@ Use this dashboard to:
* Identify when the CPU is overloaded, so you can throttle connections to the instance, tune SQL queries with a high CPU load, or consider a larger instance class to remedy the situation.
* Identify high and consistent instances of any wait state (Non-CPU Load) that indicate potential bottlenecks or resource contention issues that need to be resolved, which can be an issue even when the load doesn't exceed maximum CPU.
-})
+
### 03. Amazon RDS Aurora Generic
@@ -604,7 +547,7 @@ Use this dashboard to:
* Monitor the amount of storage used to ensure monitoring costs.
* Monitor the percentage of requests that are served by the buffer cache to identify potential performance optimizations.
-})
+
### Aurora MySQL
@@ -617,7 +560,7 @@ Use this dashboard to:
* Monitor replica lag between Aurora DB clusters that are replicating across different AWS Regions.
* Monitor the number of login failures to the database for security monitoring.
-})
+
### Aurora MySQL Global Database and BackTrack Activity
@@ -631,7 +574,7 @@ Use this dashboard to:
* Monitor the amount of redo log data that is transferred from the master AWS region to secondary AWS regions.
* Monitor the number of write I/O operations replicated from the primary AWS region to the cluster volume in a secondary AWS region in an Aurora Global Database. The billing calculations for the primary AWS region in a global database use AuroraGlobalDBReplicatedWriteIO to account for cross-region replication within the global database.
-})
+
### MySQL Logs - Overview
@@ -643,7 +586,7 @@ Use this dashboard to:
* Get the number of failed and successful DB connections.
* Get a quick breakdown of the protocol used for database connections.
-})
+
### MySQL Logs - Error Logs Analysis
@@ -656,7 +599,7 @@ Use this dashboard to:
* Monitor database instances starting up and being ready for connection events.
* Monitor MySQL RDS Cluster replication events.
-})
+
### MySQL Logs - Slow Query Analysis
@@ -670,7 +613,7 @@ Use this dashboard to:
* Check if **SQL SELECT** type queries can be shifted to read replicas for better performance.
* Monitor trends of slow queries and compare them with history to check if something different is happening or might have happened to decide the next step.
-})
+
### MySQL Logs - Audit Logs Analysis
@@ -685,7 +628,7 @@ Use this dashboard to:
* Identify typical user management activities being performed.
* Quickly identify objects that are dropped.
-})
+
### MySQL Logs - Audit Log SQL Statements
@@ -695,7 +638,7 @@ Use this dashboard to:
* Identify the top SQL statements and commands being executed, along with trends.
* Get details on various SQL statements/commands (DML, DDL, DCL, TCL) being executed.
-})
+
### MySQL Logs - General Log Analysis
@@ -707,7 +650,7 @@ Use this dashboard to:
* Monitor why certain things are failing by checking what exactly the client sent to the server to execute.
* Monitor the type of SQL statements/queries (DML, DDL, DCL, TCL, and others) being sent by the client to execute.
-})
+
### PostgreSQL Logs - Overview
@@ -719,7 +662,7 @@ Use this dashboard to:
* Obtain user activity and query execution by the database.
* Obtain the slow queries count and distribution based on user, command type, and host.
-})
+
### PostgreSQL Logs - Errors
@@ -731,7 +674,7 @@ Use this dashboard to:
* Obtain recent and top fatal and error events.
* Obtain recent queries running into error with the error message.
-})
+
### PostgreSQL Logs - Slow Query Overview
@@ -744,7 +687,7 @@ Use this dashboard to:
* Obtain unique slow queries along with execution time, analysing minimum, maximum, average, and many more.
* Obtain the time comparison between the number of slow queries and their execution time over 1 day or 1 week.
-})
+
### PostgreSQL Logs - Slow Query Details
@@ -755,7 +698,7 @@ Use this dashboard to:
* Obtain the frequently fired slow queries.
* Monitor the recent DML, DDL, and TCL statements that lead to slow queries.
-})
+
### PostgreSQL Logs - Security
@@ -767,7 +710,7 @@ Use this dashboard to:
* Monitor database shutdown and system up events.
* Identify the default user's authentication and generic activities.
-})
+
### PostgreSQL Logs - Query Execution Time
@@ -777,7 +720,7 @@ Use this dashboard to:
* Obtain the number of queries executed and average query execution time by database.
* Monitor time comparison for the number of queries executed and query execution time.
-})
+
### MSSQL Logs - Error Logs - Logon Analysis
@@ -787,7 +730,7 @@ Use this dashboard to:
* Identify the authentication failures along with the reason for the user and client location that are used to connect.
* Detect logon errors, including error codes, severity levels, and states.
-
+
### MSSQL Logs - Error Logs - Infrastructure Overview
@@ -799,7 +742,7 @@ Use this dashboard to:
* Monitors `DBCC CHECKDB` checks.
* Track recent terminations of SQL Server instances and monitor the creation of new databases.
-})
+
### Oracle Logs - Alert Logs Analysis
@@ -810,7 +753,7 @@ Use this dashboard to:
* Monitor ORA and TNS message events.
* Monitor log switch activities, archival errors, tablespace extension issues, failures, warnings, and errors occurring on the Oracle RDS instance.
-})
+
### Oracle Logs - Audit Logs Analysis
@@ -820,7 +763,7 @@ Use this dashboard to:
* Monitor successful and failed Amazon Oracle RDS events.
* Monitor top usage by client, database user, and privileges on the Oracle RDS instance.
-})
+
### Oracle Logs - Listener Troubleshooting
@@ -831,7 +774,7 @@ Use this dashboard to:
* Monitor listener process activity on the Oracle RDS instance.
* Monitor database connections by host and application, track connection failures, analyze command execution statuses and trends, and gather insights from the Oracle Listener log.
-})
+
## Viewing the RDS Proxy dashboards
@@ -843,7 +786,7 @@ Use this dashboard to:
* Monitor RDS Proxy availability and connection pool usage.
* Track client and database connection metrics, including connection limits, Latency, and usage trends, to optimize performance and troubleshoot connectivity issues.
-})
+
### Proxy - Client Connection Endpoint Performance
@@ -855,7 +798,7 @@ Use this dashboard to:
* Analyze connection setup latency and performance trends.
* Gain insights into how applications interact with the database via the proxy to identify potential bottlenecks or security issues.
-})
+
### Proxy - Query Endpoint Performance
@@ -867,7 +810,7 @@ Use this dashboard to:
* Analyze query response latency to identify performance issues.
* Optimize database performance by evaluating proxy-handled query behavior.
-})
+
### Proxy - Target Performance
@@ -879,7 +822,7 @@ Use this dashboard to:
* Analyze transaction behavior and connection health.
* Optimize performance and ensure reliable proxy-to-database interactions.
-})
+
### Proxy - TargetRole Performance
@@ -890,7 +833,7 @@ Use this dashboard to:
* Analyze transaction behavior and connection health.
* Optimize performance and ensure reliable proxy-to-database interactions.
-})
+
### Proxy - Audit
@@ -902,7 +845,7 @@ Use this dashboard to:
* Identify the most active proxies.
* Gain visibility into changes and audit trail for proxy-managed database interactions.
-})
+
### Proxy - Log Analysis
@@ -914,4 +857,48 @@ Use this dashboard to:
* Identify authentication issues, failures, and database availability problems.
* Troubleshoot proxy operations effectively using log insights.
-})
+
+
+## Create monitors for Amazon RDS app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the `"topicname"` field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields#manage-fields). - -### Field Extraction Rule(s) - -Create a Field Extraction Rule for CloudTrail Logs. Learn how to create a Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). - -```sql -Rule Name: AwsObservabilitySNSCloudTrailLogsFER -Applied at: Ingest Time -Scope (Specific Data): account=* eventname eventsource \"sns.amazonaws.com\" -``` - -**Parse Expression**: - -```sumo -| json "userIdentity", "eventSource", "eventName", "awsRegion", "recipientAccountId", "requestParameters", "responseElements" as userIdentity, event_source, event_name, region, recipient_account_id, requestParameters, responseElements nodrop -| where event_source = "sns.amazonaws.com" -| json field=userIdentity "accountId", "type", "arn", "userName" as accountid, type, arn, username nodrop -| parse field=arn ":assumed-role/*" as user nodrop -| parse field=arn "arn:aws:iam::*:*" as accountid, user nodrop -| json field=requestParameters "topicArn", "name", "resourceArn", "subscriptionArn" as req_topic_arn, req_topic_name, resource_arn, subscription_arn nodrop -| json field=responseElements "topicArn" as res_topic_arn nodrop -| if (isBlank(req_topic_arn), res_topic_arn, req_topic_arn) as topic_arn -| if (isBlank(topic_arn), resource_arn, topic_arn) as topic_arn -| parse field=topic_arn "arn:aws:sns:*:*:*" as region_temp, accountid_temp, topic_arn_name_temp nodrop -| parse field=subscription_arn "arn:aws:sns:*:*:*:*" as region_temp, accountid_temp, topic_arn_name_temp, arn_value_temp nodrop -| if (isBlank(req_topic_name), topic_arn_name_temp, req_topic_name) as topicname -| if (isBlank(accountid), recipient_account_id, accountid) as accountid -| "aws/sns" as namespace -| fields region, namespace, topicname, accountid -``` - ## Centralized AWS CloudTrail Log Collection In case, you have a centralized collection of CloudTrail logs and are ingesting them from all accounts into a single Sumo Logic CloudTrail log source, create the following **Field Extraction Rule** to map a proper AWS account(s) friendly name/alias. Create it if not already present or update it as required. @@ -160,10 +124,22 @@ In case, you have a centralized collection of CloudTrail logs and are ingesting Now that you have set up collection for Amazon SNS, install the Sumo Logic app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage. -import AppInstall from '../../reuse/apps/app-install.md'; +import AppInstall from '../../reuse/apps/app-install-v2.md';
})
+
### Amazon SNS - Audit Events
@@ -189,7 +165,7 @@ Use this dashboard to:
* Monitor successful and error events with error code in detail.
* Get details of active topic names and users of both successful and error events.
-})
+
### Amazon SNS - Messages, Notifications
@@ -203,7 +179,7 @@ Use this dashboard to:
* Compare messages published and message size by today, yesterday, last week.
* Compare notifications delivered and failed by today, yesterday, last week.
-})
+
### Amazon SNS - Threat Intel
@@ -214,7 +190,7 @@ The **Amazon SNS - Threat Intel** dashboard provides insights across threat loca
* Get details of threats by malicious confidence and malicious IPs.
* Get details of all threats by IPs.
-})
+
### Amazon SNS - Audit Events Details
@@ -225,4 +201,35 @@ Use this dashboard to:
* Get all details of all subscription events.
* Get details of all read only and non read only events.
-})
+
+
+## Create monitors for AWS SNS app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Fields**. -1. Search for the `queuename` field. -1. If not present, create it. Learn how to create and manage fields [here](/docs/manage/fields/#manage-fields). - -## Field Extraction Rule(s) -Create a Field Extraction Rule for CloudTrail Logs. Learn how to create a Field Extraction Rule [here](/docs/manage/field-extractions/create-field-extraction-rule). - -* **Rule Name**: AwsObservabilitySQSCloudTrailLogsFER -* **Applied at**: Ingest Time -* **Scope (Specific Data)**: account=* eventname eventsource "sqs.amazonaws.com" -* **Parse Expression**: - -```sumo -json "userIdentity", "eventSource", "eventName", "awsRegion", "recipientAccountId", "requestParameters", "responseElements", "sourceIPAddress" as userIdentity, event_source, event_name, region, recipient_account_id, requestParameters, responseElements, src_ip nodrop -| json field=userIdentity "accountId", "type", "arn", "userName" as accountid, type, arn, username nodrop -| json field=requestParameters "queueUrl" as queueUrlReq nodrop -| json field=responseElements "queueUrl" as queueUrlRes nodrop -| where event_source="sqs.amazonaws.com" -| if(event_name="CreateQueue", queueUrlRes, queueUrlReq) as queueUrl -| parse regex field=queueUrl "(?
+
+### Performance Trends
+
+The **1. Amazon SQS - Performance Trends** dashboard provides derived performance insights including true consumer lag, empty receive rate trends, and cross-queue rankings by backlog and message staleness.
+
+Use this dashboard to:
+* Monitor true consumer lag by tracking combined visible and delayed messages in the backlog.
+* Identify queues with high empty receive rates to optimize polling behavior and reduce costs.
+* Rank queues by consumer backlog size to prioritize capacity planning.
+* Identify message staleness risks by tracking the age of the oldest message per queue.
+
+
+
+## Create monitors for AWS SQS app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+