AWS CloudWatch integration ►

Moogsoft Cloud can collect both time series metrics and alarms from AWS CloudWatch. Moogsoft Cloud performs anomaly detection on all metrics and generates events for these anomalies before ingestion. See also AWS CloudWatch API.

Note

AWS CloudWatch is a paid service. Before you enable this integration, you should review Amazon's pricing policies to avoid unexpected charges. For more information, go to the AWS documentation and search for "CloudWatch pricing."

Note

It is good practice to create only one integration per AWS account.

Before you begin

This integration was validated with AWS CloudWatch on May 14, 2020. Before you start to set up your integration, ensure you have met the following requirements:

  • You have an active AWS account.

  • You have the necessary permissions to create permissions and roles in AWS.

Managing CloudWatch costs

This integration uses the AWS CloudWatch API, which is a paid service. You might get charged for using this API, depending on the number of metrics you ingest and the number of AWS regions you monitor.

Moogsoft Cloud polls the AWS CloudWatch API every once per minute, and uses batching to collect up to 500 metrics per request. CloudWatch allows a certain number of free API requests per month and then charges when you reach this limit.

Moogsoft recommends the following practices to avoid excessive CloudWatch costs:

  • on your EC2 instances and disable EC2 CloudWatch monitoring. This avoids the costs of collecting EC2 instance metrics using the CloudWatch API.collectorInstall and run the You have an active AWS account.

  • In the AWS Integration page, enable monitoring only for metrics and regions of interest.

Here's a simplified example of how you can estimate your monthly costs for an individual resource. You have met your allotted number of free API calls for the month. Your integration is configured to monitor about 400 resources in one region and 200 resources in another region. The integration sends 2 calls per minute, for a total of 2880 per day. Suppose AWS charges you $.01 (one cent) for every 1,000 API calls and you get charged for 20 days of calls. The resulting charge would be:

  • 2880 calls per day

  • 57,600 calls over 20 days

  • $0.576 = 57,600 / 1,000 * $.01

For detailed pricing information and examples, see Amazon CloudWatch pricing.

AWS Setup: Create a new policy and role

  1. Open the Credentials Store in Moogsoft Cloud:

    1. Open a browser window and log in to the Moogsoft Cloud UI.

    2. Choose Settings > Credentials Store.

    3. Click Add Credentials and choose AWS IAM. Leave this page open for now.

  2. Open a separate browser window. Then log in to the AWS Console and go to Services > IAM.

    Leave both the Moogsoft Cloud Credentials Store and the AWS Console browser windows open until you finish this workflow. You will need to copy/paste information between the two windows.

  3. In the AWS Console, go to Policies and define a new permissions policy as follows:

    1. Click Create Policy and click the JSON tab.

    2. For the JSON policy, copy and paste the policy from the Moogsoft Cloud Credentials Store (click Show required AWS policy).

      Note

      This policy includes the iam:SimulatePrincipalPolicy action, which Moogsoft Cloud uses to test the integration with your AWS CloudWatch estate. You can remove this action if desired, but this will disable the integration testing functionality.

    3. Click Review Policy, enter a policy name, and then click Create Policy.

  4. Go to Roles and create a new role as follows:

    1. Click Create Role.

    2. Under Select type of trusted entity, choose Another AWS account.

    3. For Account ID, copy and paste the Moogsoft AWS account number shown in the Moogsoft Cloud Credentials Store.

      This is the Moogsoft account that will receive data from CloudWatch.

    4. Under Options, enable Require external ID.

    5. Copy and paste the External ID from the Moogsoft Cloud Credentials Store. Click Generate External ID if necessary.

    6. Do not enable Require MFA.

    7. Click Next: Permissions and add the policy you created previously.

    8. Proceed through the remaining steps of the Create Role wizard, accepting the default settings. In the Review page, enter a role name and click Create Role

Moogsoft Cloud setup

To configure the AWS CloudWatch integration:

  1. Return to the Moogsoft Cloud Credentials Store window and define your AWS IAM credentials as follows:

    • AWS Account Number — In the AWS Console, go to My Security Credentials. Then copy and paste the AWS account ID.

    • IAM Role — Enter the role you defined previously.

    • External ID — Do not change or update this ID. It must be the same ID you used when you created your role.

  2. Click Save to save your IAM credentials.

  3. Choose Ingestion Services > AWS CloudWatch and create a new integration.

  4. Select the AWS credentials you defined previously.

  5. Click Test to verify that Moogsoft Cloud can connect to your AWS account.

  6. Specify the other CloudWatch integration settings as follows:

    • Region — Select the AWS regions to observe.

    • AWS Services — Select the AWS services to observe.

    • Collect CloudWatch Alarms — Enable this option if you want to collect alarms in addition to standard CloudWatch metrics. Moogsoft Cloud ingests alarms as events and converts them to alerts.

    • Collect Custom Metrics — Enable this option if you want to send any custom metrics you are collecting to AWS CloudWatch.

    Note

    It is generally good practice to collect only the metrics and alarms that you want Moogsoft Cloud to observe.

  7. Enter an integration name and click Save.

  8. Optionally, you can go to the Configuration tab and customize anomaly detection settings for individual metrics.

Watch how to Integrate Moogsoft with AWS Cloudwatch.

2022-06-21T09:17:56-04:00

In this video, we will go over how to integrate AWS Cloudwatch and send the data to Moogsoft.

The instruction documentation is conveniently located right here.

1D1096E5-CD66-44E5-B882-7415980E66B4.jpeg

We are going to add our AWS credentials (click "Add New Credentials").

B5782DD3-DC32-4427-8D07-B0E0481EE768.jpeg

We need to create a policy and a role in AWS to complete the configuration. To do so, we need this JSON script from Moogsoft (click "Show required AWS policy").

114225CF-121A-4DAF-B897-97A2B25B2F81.jpeg

Grab this JSON script (click the "Copy" icon in the bottom right)...

BF0C9E88-603E-4261-B594-98737D2385F8.jpeg

And now we are going to AWS.

Navigate to the policy section (in the AWS Management Console, under "Security, Identity, and Compliance", navigate to IAM > Policies > Create Policy)...

img-0DB281FB-FB0B-475E-87EE-A061A3E3492E.jpeg
68C00B9E-CD08-496D-AA8F-7988E4DA7C69.jpeg
4DFC513A-37C2-4A57-BD48-BA12CB5222AA.jpeg

Paste the JSON script we grabbed from Moogsoft...

48E3BF8D-62AE-486F-8E3A-0800192D7E01.jpeg

And provide a meaningful name.

5CFB3310-B9AA-49AD-A41C-B9A1ED6A92E1.jpeg

Now we got the policy. Let's create the role now (click "Roles" in the left hand navigation dashboard, then click "Create Role").

A2712723-CAA2-475B-A676-ED6AFF7B0C52.jpeg

"Another AWS Account" is what we need here.

B6297430-F07F-4984-943F-112D9F9C1539.jpeg

We need to provide the Moogsoft AWS account number here.

B2F55669-6D3A-4CAC-B7B2-7CF772373311.jpeg

Let's go back to Moogsoft. Copy this...

FE668783-9AB4-4E25-B12C-73A746CD88BB.jpeg

And paste it here.

B2F55669-6D3A-4CAC-B7B2-7CF772373311.jpeg

Next, check "Require External ID". We need to grab it from Moogsoft. Here it is.

25539DAE-BDF5-4782-AAC0-543FE25CD96A.jpeg

(Copy the External ID and paste it into the corresponding field in AWS)

CE01CB58-D13A-430F-AADF-46DD739C6CDB.jpeg

To this role we are creating, we need to associate the policy that we just created. Let me search by the name I gave that policy.

95428D77-4182-4EE1-B0B3-79C7CF1E00EF.jpeg

(Select the policy, then at the bottom right, click "Next: Tags" and then "Next: Review")

Lastly, provide a name for the role (fill in the name, then at the bottom right, click "Create role").

78B0AFE4-DFEA-472C-8612-CE7F0ED48920.jpeg

And now we have the role created.

Let's go back to Moogsoft and plug in the new role information. Here's the name of the role, and here's the AWS account number (fill in the required fields, then click "Save").

799476B5-3642-439C-8D1D-415EE029209D.jpeg

And the new credentials are now available for use.

743FE3BE-E5E3-49EB-A6DC-52CF0A2C197F.jpeg

Select a region, and test.

It works! Now, the data from Cloudwatch will start to flow into this instance of Moogsoft.

Thanks for watching.