8.4 Monitoring Access Manager in AWS Using CloudWatch

Amazon CloudWatch provides real-time monitoring of AWS resources. It tracks various metrics and allows you to create alarms or send notifications when a metric reaches the threshold value. You can configure CloudWatch with CloudWatch Agent to collect system-level metrics and logs from Access Manager instances and AWS resources. It includes AWS servers and on-premises servers.

For example, you can use CloudWatch to monitor the CPU usage and then determine whether you to create or delete instances to meet the dynamic load.

For more information about CloudWatch, see What Is Amazon CloudWatch?

For more information about CloudWatch Agent, see Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent.

Perform the following tasks to configure CloudWatch with on-premises servers:

  1. Install AWS Command Line Interface (CLI) on the on-premises servers. Access Manager uses AWS CLI to access CloudWatch. The primary distribution method for AWS CLI is Python pip. Open a terminal window on the server and run the following commands:

    • curl -O https://bootstrap.pypa.io/get-pip.py (to download the get-pip.py installer package)

    • pip install --upgrade awscli (to install AWS CLI)

    For information about installing AWS CLI, see Installing the AWS CLI.

  2. Create IAM Users for CloudWatch Agent. IAM Users are required to access the AWS resources. For more information about creating IAM Users, see Create IAM Roles and Users for Use with the CloudWatch Agent.

  3. Install the CloudWatch Agent package on the Access Manager servers. For information about installing the CloudWatch Agent package on servers, see Installing and Running the CloudWatch Agent on Your Servers.

  4. Specify AWS IAM credentials and AWS Region by using the aws configure command. When you run this command, AWS CLI prompts you to specify access key, secret access key, AWS Region, and output format.

    For information about using this command, see Quickly Configuring the AWS CLI.

  5. Create the CloudWatch Agent configuration file through the configuration file wizard. The wizard prompts you to specify various details, for example monitoring metrics and log files location. Specify these details based on your requirements.

    For example, to monitor the Identity Server node logs, you must specify the following log file location in the configuration file:

    /opt/novell/nam/idp/logs/catalina.out

    For information about creating the configuration file using wizard, see Create the CloudWatch Agent Configuration File with the Wizard.

  6. Start CloudWatch Agent by using the CloudWatch Agent configuration file that you created in the previous step. For example, if the configuration file is saved in the Systems Manager Parameter Store, run the following command:

    sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m onPremise -c ssm:configuration-parameter-store-name –s

    In this example, -a fetch-config loads the latest version of the CloudWatch Agent configuration file and -s starts the CloudWatch Agent.

    For information about installing CloudWatch Agent on servers and creating the configuration file, see Installing the CloudWatch Agent on On-Premises Servers.

  7. Log in to AWS Console.

  8. Click Services and search for the CloudWatch service.

  9. In the CloudWatch dashboard, you can find log files under Logs and monitoring parameters, such as CPU and RAM, under Metrics.

You can install CloudWatch Agent for EC2 instances. For more information, see Installing the CloudWatch Agent on EC2 Instances Using Your Agent Configuration.