Stream CloudWatch Logs

This guide explains how to collect logs from AWS CloudWatch and forward them to your Dstl8 Docker agent using the OpenTelemetry Collector.

Overview

The setup uses the OpenTelemetry Collector with the AWS CloudWatch receiver to:

1. Poll CloudWatch log groups at regular intervals

2. Transform and enrich log data with AWS-specific attributes

3. Forward logs to the Dstl8 Docker agent via OTLP

Architecture:

AWS CloudWatch → OTel Collector (CloudWatch Receiver) → Dstl 8 Docker Agent (OTLP Receiver)

Prerequisites

• Dstl8 Docker agent installed and running (see Docker Installation Guide)

• Docker installed on the same host as the Dstl8 agent

• AWS credentials with CloudWatch read access

• Access to the AWS region containing your log groups

AWS IAM Permissions

Your AWS credentials need read-only access to CloudWatch Logs. AWS provides a managed policy for this:

Managed Policy: CloudWatchReadOnlyAccess Policy ARN: arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess

View policy details →

Alternatively, you can create a custom IAM policy with minimum required permissions:

Configuration

Step 1: Create the Collector Configuration File

Create a file named config.yaml with the following content. This configuration includes:

• AWS CloudWatch receiver to poll log groups

• Transform processor to enrich logs with AWS service metadata

• OTLP exporter to forward logs to the Dstl8 agent

Step 2: Customize the Configuration

Update the following sections in your config.yaml:

1. AWS Region:

2. CloudWatch Log Groups:

Add the log groups you want to monitor under groups.named:

3. OTLP Exporter Endpoint:

The endpoint depends on your operating system and network configuration:

Linux (Docker default bridge network):

macOS:

Windows:

Same Docker Network (if both containers are on the same custom network):

Running the OpenTelemetry Collector

Using AWS Access Keys

Once your config.yaml is configured, start the OpenTelemetry Collector:

Linux/macOS:

Windows (PowerShell):

Using AWS IAM Role (EC2 or ECS)

If running on an EC2 instance or ECS task with an IAM role attached, you don't need to provide credentials:

The collector will automatically use the instance's IAM role credentials.

Using AWS Profile

If you have AWS credentials configured in ~/.aws/credentials:

Verification

Check Collector Status

View collector logs:

Follow logs in real-time:

Successful startup should show:

Check Dstl8 Agent

Verify the Dstl8 agent is receiving logs:

Verify in Dstl 8 UI

Log into your Dstl 8 dashboard and verify:

• CloudWatch log groups appear as data sources

• Logs are being ingested with proper AWS attributes

• Service names are correctly extracted from log group names

Troubleshooting

Collector Can't Connect to Dstl 8 Agent

Symptom: Logs show connection refused or timeout errors

Solutions:

1. Verify Dstl 8 agent is running:

2. Check OTLP endpoint in config.yaml:

   • Linux: Try 172.17.0.1:4317 or localhost:4317

   • macOS/Windows: Use host.docker.internal:4317

3. Test connectivity from collector container:

4. Verify port 4317 is exposed on Dstl 8 agent:

AWS Authentication Errors

Symptom: Logs show "AccessDenied" or authentication errors

Solutions:

1. Verify AWS credentials are correct:

2. Check IAM permissions: Ensure the IAM user/role has CloudWatchReadOnlyAccess or equivalent permissions

3. Verify region is correct: Check that the region in config.yaml matches where your log groups exist

No Logs Being Collected

Symptom: Collector runs but no logs appear in Dstl 8

Solutions:

1. Verify log groups exist:

2. Check log group names in config.yaml: Ensure they exactly match (case-sensitive)

3. Verify poll interval: Default is 1 minute, wait at least that long

4. Check for recent log entries: The collector only fetches recent logs, not historical data by default

High Memory or CPU Usage

Symptom: Collector consumes excessive resources

Solutions:

1. Reduce batch size in config.yaml:

2. Increase poll interval:

3. Limit the number of log groups being monitored

Advanced Configuration

Filtering Log Groups by Prefix

Instead of listing individual log groups, you can use prefixes:

This will collect logs from all log groups matching the prefixes.

Custom Poll Intervals

Adjust polling frequency based on your needs:

Note: More frequent polling increases AWS API calls and costs.

Adding Debug Exporter

For troubleshooting, add a debug exporter to see logs in collector output:

Then view detailed logs:

Running on a Custom Docker Network

To improve networking between containers, create a custom network:

Update the endpoint in config.yaml:

Managing the Collector

Stop the Collector

Start the Collector

Restart the Collector

Update Configuration

After modifying config.yaml, restart the collector:

Remove the Collector

Additional Resources

• OpenTelemetry Collector Documentation

• AWS CloudWatch Receiver Documentation

• OTLP Exporter Documentation

• AWS CloudWatch Logs Documentation

• Transform Processor Documentation