How to Install and Set Up an AWS CloudWatch Windows Agent

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

AWS CloudWatch is a monitoring service that provides real-time visibility and management of your AWS resources. You can use this automation to continuously monitor and alert on the status of key metrics such as CPU utilization, storage usage, network bandwidth, error rates among others. However if you are not an advanced user or have never installed one before there is a good chance you won’t be able to install it correctly by yourself.

The “how to install cloudwatch agent on windows” is a guide that shows you how to set up and configure an AWS CloudWatch Windows Agent. The guide also includes information about what the agent does, and how it works.

How to Install and Set Up an AWS CloudWatch Windows Agent

Look no farther than Amazon CloudWatch if you need a single location to store and manage your AWS logs. CloudWatch is a useful tool that aids event correlation and is essential for keeping visibility throughout your technological infrastructure.

Because Elastic Compute Cloud (EC2) Instances often execute essential workloads, log visibility is crucial, and integrating EC2 with CloudWatch makes perfect sense.

In this article, you’ll learn how to set up the CloudWatch Agent, a component of CloudWatch, on your AWS EC2 instances. The agent will then submit selected logs to AWS CloudWatch for additional inspection once enabled.

Prerequisites

This page will serve as a guide. You’ll need the following items if you want to follow along step-by-step:

The development of IAM policies and AWS Application Programming Interface (API) permissions are not covered in this article. When authorizing accounts to conduct activities, always follow the concept of least privilege.

  • Access to an EC2 Instance running a supported operating system as an administrator. This lesson will be performed on a Windows Server 2019 EC2 Instance.

Establishing an IAM Role

An IAM role is required for CloudWatch to interact with an EC2 instance. If set appropriately for least privilege, an IAM role enables CloudWatch to function effectively while removing superfluous permissions.

Let’s start this tutorial by Establishing an IAM Role for CloudWatch in the AWS Management Console that leverages an AWS Managed Policy. This policy will authorize your EC2 Instance to make calls to CloudWatch.

To enable your EC2 Instance to connect with CloudWatch, you’ll need to setup an IAM role.

1. Launch your web browser.

2. Sign in to your AWS account using your AWS (root) or IAM account credentials by going to the AWS Management Console.

3. In the top left-hand corner of your screen, click Services.

The services drop-down menu in the AWS Management Console.The services drop-down menu in the AWS Management Console.

4. Next, click IAM from the Services drop-down menu located under the Security, Identity, & Compliance category. This option will take you to the IAM console.

The services drop-down menu and IAM option in the AWS Management Console.The services drop-down menu and IAM option in the AWS Management Console.

5. Select Roles from the Access Management category’s menu on the left-hand side of the screen.

Roles selection in the IAM console.Roles selection in the IAM console.

6. At the top of your screen, pick Create Role from the Roles panel.

A notice describing what an IAM role is may appear at the top of your screen. If that’s the case, look underneath the notification for the Create Role option.

The Create Role option in the IAM console's Roles section.The Create Role option in the IAM console’s Roles section.

7. Select AWS Service as the Type of Trusted Entity on the Create Role page. AWS Service roles enable AWS services to engage with other resources on your behalf (for example, CloudWatch).

AWS Service option in the Create Role menu.AWS Service option in the Create Role menu.

Because the CloudWatch Agent will be installed on an EC2 Instance and interact with CloudWatch, choose the EC2 option from the list of use cases.

Create a role menu with an EC2 option.Create a role menu with an EC2 option.

9. Select the EC2 option from the list of use cases, then Next: Permissions.

EC2 and Next: Permissions options in the Create Role menu.EC2 and Next: Permissions options in the Create Role menu.

10. On the permissions page, type “CloudWatchAgentServerPolicy” into the search field, then check the box to the left of the Policy Name for CloudWatchAgentServerPolicy. Select Next: Tags after checking the box.

CloudWatchAgentServerPolicy and Next: Tags options in the attach permissions and policy menu.CloudWatchAgentServerPolicy and Next: Tags options in the attach permissions and policy menu.

The CloudWatchAgentServerPolicy grants list, read, and write access to your EC2 Instance, allowing it to collect and report metrics and logs to CloudWatch. The JavaScript Object Notation (JSON) for the policy is displayed below. Refer to the AWS documentation for further information on JSON policy components.

“Version”: “2012-10-17”, “Statement”: [ “Cloudwatch:PutMetricData”, “ec2:DescribeVolumes”, “ec2:DescribeTags”, “logs:PutLogEvents”, “logs:DescribeLogStreams”, “logs:DescribeLogGroups”, “logs:CreateLogStream”, “logs:CreateLogStream”, “logs:CreateLogStream”, “logs:C “Action”: [ “ssm:GetParameter” ], “Resource”: “arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*” ] “Effect”: “Allow”, “Action”: [ “ssm:GetParameter” ], “Resource”: “arn:aws }

11. This tutorial will skip applying tags to this role and instead leave the Key and Value fields blank before pressing Next: Review. Tags are key/value pairs that may be used to manage and organize resources in AWS.

Next: Review selection from the Tags menu.Next: Review selection from the Tags menu.

12. Choose Create Role and give your role a distinctive name. The Role name for this tutorial is EC2CloudWatchAgentRole, as seen in the picture below.

Examine the menu options for Role Name and Create Role.Examine the menu options for Role Name and Create Role.

13. Look at the top of your screen for a success message. As illustrated below, you should receive a notification that indicates the IAM role’s name.

A successful role creation notification appears.A successful role creation notification appears.

Excellent job! To connect with the CloudWatch and CloudWatch Log services, your EC2 Instance will use the IAM role you configured!

IAM Role Attachment

It’s time to connect your IAM role to your EC2 instance now that you’ve established it and connected the relevant IAM policy. To add the IAM role to your EC2 instance, follow these steps:

1. Click Services in the top left-hand corner of your screen, assuming you’re still in the AWS Management Console.

The services drop-down menu in the AWS Management Console.The services drop-down menu in the AWS Management Console.

2. Under All services, choose EC2. This will take you to the Amazon EC2 console.

AWS Management Console with EC2 option and services drop-down menu.AWS Management Console with EC2 option and services drop-down menu.

3. From the Instances category on the left-hand side of the screen, choose Instances.

Instances selection in the EC2 Console.Instances selection in the EC2 Console.

4. In the Instances window, check the box to the left of the EC2 Instance on which the CloudWatch Agent will be installed.

The EC2 Instances pane displays the available EC2 Instances.The EC2 Instances pane displays the available EC2 Instances.

5. Select Actions —> Security —> Modify IAM Role. The Modify IAM Role option brings you to a menu that allows you to select and attach the IAM role created earlier in this tutorial.

Modify IAM Role option in the EC2 console.Modify IAM Role option in the EC2 console.

6. Now, from the drop-down box, pick the role you defined previously in this article (EC2CloudWatchAgentRole), and then click Save.

The IAM Role Modification menu, which includes the IAM Role and Save options.The IAM Role Modification menu, which includes the IAM Role and Save options.

7. Check the success message at the top of your screen to see whether the role is assigned to your EC2 Instance. The IAM role name and the EC2 instance’s Instance ID are included in the success message. This tutorial’s IAM Role name EC2CloudWatchAgentRole and Instance ID i-0eae2dd63c30c94c2 are displayed in the picture below.

A successful IAM Role attachment is shown in the mail.A successful IAM Role attachment is shown in the mail.

Excellent job! Your EC2 Instance may now connect with the relevant CloudWatch services thanks to the IAM role associated to it.

CloudWatch Agent installation

Now you may move the CloudWatch Agent from Amazon’s Simple Storage Service (S3) to your EC2 Instance. The CloudWatch agent may be downloaded via a web browser, however PowerShell will be used in this tutorial.

Using PowerShell, download the agent:

1. Use Remote Desktop or Session Manager to connect to an EC2 instance.

2. Open a Windows PowerShell console session once you can see the Windows desktop.

3. Next, use PowerShell’s Invoke-WebRequest cmdlet to obtain the CloudWatch Agent installation package. The amazon-cloudwatch-agent.msi installation package will be downloaded to your desktop using this cmdlet.

PowerShell’s Web Swiss Army Knife: Invoke-WebRequest

#Save the CloudWatch Agent installation package to the desktop of the user. -OutFile https://s3.amazonaws.com/amazoncloudwatch-agent/windows/amd64/latest/amazon-cloudwatch-agent.msi Invoke-WebRequest -Uri https://s3.amazonaws.com/amazoncloudwatch-agent/windows $env:USERPROFILEDesktopamazon-cloudwatch-agent.msi

4. Using PowerShell’s Test-Path cmdlet, verify that the amazon-cloudwatch-agent.msi installation package exists.

How to Use the Test-Path Cmdlet in PowerShell

The Amazone CloudWatch Agent was successfully verified. $env:USERPROFILEDesktopamazon-cloudwatch-agent.msi Test-Path

If True is returned, your download was successful!

Excellent job! You installed the Amazon CloudWatch Agent on your computer.

The CloudWatch Agent is installed.

You downloaded the CloudWatch Agent, amazon-cloudwatch-agent.msi, to your desktop in the previous step. Let’s get the CloudWatch agent installed on your EC2 instance.

To install the agent while remaining on the EC2 instance’s console, do the following:

1. Log in as an administrator to the PowerShell console.

How to Use PowerShell as an Administrator

2. Next, use msiexec to launch the CloudWatch Agent MSI installation. msiexec is a native Windows application that installs MSI packages. To install amazon-cloudwatch-agent.msi from your desktop, use the command below with the install (/i) option.

#msiexec /i $env:USERPROFILEDesktopamazon-cloudwatch-agent.msi #Install the CloudWatch Agent

3. After you run the command, a window with a progress bar will open. It simply takes a few seconds to complete the installation. Before going on to the next phase, let it finish.

The Windows Installer window displays the installation status.The Windows Installer window displays the installation status.

Quick and simple! The CloudWatch agent has been successfully deployed.

Configuring & Activating the CloudWatch Agent

After you’ve installed the CloudWatch Agent, you’ll need to tell it what data to gather and where to deliver it. The JSON-based CloudWatch Agent Configuration File contains this configuration. The CloudWatch agent comes with a configuration wizard to help you create the configuration file.

The CloudWatch agent setup wizard isn’t the only method to create and change the file. Manually creating or editing the configuration file is also an option.

To start the process and setup the CloudWatch agent, follow these steps.

1. Log in as an administrator to the PowerShell console.

2. Run the following code snippet to start amazon-cloudwatch-agent-config-wizard.exe. The executable software has a menu system that allows you to customize your PowerShell console session.

#Launch the amazon-cloudwatch-agent-config-wizard.exe executable & $env:ProgramFilesAmazonAmazonCloudWatchAgentamazon-cloudwatch-agent-config-wizard.exe

3. Select the choices you want to apply to the configuration file next. The tutorial’s selected parameters leave the metric collecting settings alone and change the Windows event log option to collect transmit Security events.

When asked whether you wish to save the configuration in the SSM parameter store, say yes. Make careful to change it from the default setting to 2. The value of 2 indicates to the setup wizard that you do not want the configuration stored in Parameter Store. This lesson does not cover how to use the Parameter Store.

  • Which operating system do you want to run the agent on? (Windows by default)
  • Do you use EC2 or on-premises servers? (EC2 by default)
  • Are you ready to start the StatsD daemon? (Yes by default)
  • What port should the StatsD daemon listen to? (Default: 8125)
  • What is the StatsD daemon’s collect interval? (Default: ten seconds)
  • What is the StatsD daemon’s aggregation interval for metrics collected? (60s by default)
  • Do you have a CloudWatch Log Agent configuration file that you can use to migrate? (No by default)
  • Do you want to keep track of any host metrics? CPU, RAM, and so forth. (Yes by default)
  • Do you wish to keep track of per-core CPU metrics? There may be additional CloudWatch fees. (Yes by default)
  • Do you wish to include environmental dimensions? (ImageId, InstanceId, InstanceType, AutoScalingGroupName)
  • if the data is accessible, into all of your metrics? (Yes by default)
  • Would you want to gather high-resolution metrics? This provides sub-minute resolution for all measurements, however you may configure the output json file for individual metrics. (60s by default)
  • Which of the default metrics configurations do you prefer? (Basic by default)
  • Are you happy with the above configuration? After the wizard, it may be manually adjusted.
  • completes the task of adding more items (Yes by default)
  • Do you wish to keep an eye on any specific log files? (Personalized: 2 (no))
  • Do you wish to keep an eye on the Windows event logs? (Yes by default)
  • Name of the Windows event log: (Customized: Security)
  • Do you wish to keep an eye on events at the VERBOSE level for Windows event log security? (Yes by default)
  • Do you wish to keep an eye on occurrences at the INFORMATION level for Windows event log security? (Yes by default)
  • Do you wish to keep an eye on WARNING level occurrences in the Windows event log? (Yes by default)
  • Do you wish to keep an eye on ERROR level occurrences in the Windows event log? (Yes by default)
  • Do you wish to keep an eye on critical occurrences in the Windows event log? (Yes by default)
  • Name of log group: (Default: Security)
  • (Default: [instance id]) Log stream name
  • Which format do you want to log windows events in CloudWatch?
  • (XML is the default format in Windows Event Viewer.)
  • Would you want to monitor any further Windows event logs? (Customization: 2) (no)
  • Do you want the configuration to be saved in the SSM parameter store? (Personalized: 2 (no))

4. Run the provided amazon-cloudwatch-agent-ctl.ps1 PowerShell script to apply the CloudWatch agent settings. The CloudWatch Agent is told to get the agent configuration from $env:ProgramFilesAmazonAmazonCloudWatchAgentconfig.json in the following code snippet.

#Apply CloudWatch Agent Configuration & $env:ProgramFilesAmazonAmazonCloudWatchAgentamazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:$env:ProgramFilesAmazonAmazonCloudWatchAgentconfig.json -s

The command’s intended output is displayed below. The agent successfully retrieved the configuration and verified it, as seen in the accompanying snapshot. The script restarts the agent after validating the settings.

The CloudWatch Agent configuration was successfully deployed, according to the command output.The CloudWatch Agent configuration was successfully deployed, according to the command output.

Excellent job! Your EC2 instance now has the CloudWatch agent installed and configured! Metrics and log data are now being transmitted to the CloudWatch service if you followed along!

Steps to Follow

You installed and configured Amazon’s CloudWatch agent on an EC2 Instance running Windows using the command line in this tutorial. In the CloudWatch console, you should now be able to see the metrics and logs generated by your EC2 Instance.

To push Windows Application logs into CloudWatch, try manually editing the CloudWatch agent config.json file. To prevent needless expenses, delete the CloudWatch Agent after you’ve finished exploring.

The “install cloudwatch agent on windows ec2 using powershell” is a question that has been asked many times. The process of installing the agent on Windows is easy with PowerShell.

Related Tags

  • aws cloudwatch agent windows
  • amazon-cloudwatch-agent-config-wizard
  • amazon-cloudwatch-agent-ctl commands
  • terraform install cloudwatch agent
  • start cloudwatch agent