Elastic Agent : AWS CloudWatch Fleet Integration Fail with RequestCanceledError

davide.lilliu · July 22, 2022, 10:04am

Hi,

i'm trying to set up an AWS integration to bring Lambda log group.
I'm already using the AWS integration to have some metrics, so a don't think is a credential problem. I followed this guide AWS | Elastic Documentation and i give all the necessary permissions to my user.

This is a piece of filebeat log under:

{"log.level":"info","@timestamp":"2022-07-20T07:23:48.942Z","log.logger":"input.aws-cloudwatch.cloudwatch_poller","log.origin":{"file.name":"awscloudwatch/input.go","file.line":213},"message":"aws-cloudwatch input worker for log group: '/aws/lambda/APIShare_Cognito_Authorizers' has started","service.name":"filebeat","id":"aws-cloudwatch-aws.cloudwatch_logs-5f521d35-5207-4f0b-b5f3-33cf735f4b78","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-07-20T07:23:48.964Z","log.logger":"input.aws-cloudwatch.cloudwatch_poller","log.origin":{"file.name":"awscloudwatch/cloudwatch.go","file.line":70},"message":"getLogEventsFromCloudWatch failed with RequestCanceledError: <nil>","service.name":"filebeat","id":"aws-cloudwatch-aws.cloudwatch_logs-5f521d35-5207-4f0b-b5f3-33cf735f4b78","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-07-20T07:23:48.964Z","log.logger":"input.aws-cloudwatch.cloudwatch_poller","log.origin":{"file.name":"awscloudwatch/cloudwatch.go","file.line":72},"message":"getLogEventsFromCloudWatch failed: <nil>","service.name":"filebeat","id":"aws-cloudwatch-aws.cloudwatch_logs-5f521d35-5207-4f0b-b5f3-33cf735f4b78","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-20T07:23:48.964Z","log.logger":"input.aws-cloudwatch.cloudwatch_poller","log.origin":{"file.name":"awscloudwatch/input.go","file.line":209},"message":"aws-cloudwatch input worker for log group '/aws/lambda/APIShare_Cognito_Authorizers' has stopped.","service.name":"filebeat","id":"aws-cloudwatch-aws.cloudwatch_logs-5f521d35-5207-4f0b-b5f3-33cf735f4b78","ecs.version":"1.6.0"}

Andrea_Spacca · July 22, 2022, 10:29am

hello @davide.lilliu , welcome to the Elastic community

the error reported in the log is misleading: we already reported the bug and it should be fixed in the next release

to clarify: it's only the fact that the error is reported as an empty Request Canceled error the bogus behaviour

but an error indeed occurred in your setup: due to the bug mentioned above we lost the real error type and message

most likely it is a permission problem.

the actions required to fetch metrics are different from the ones required to fetch cloudwatch logs events

I can indeed see that the docs does not mention logs:FilterLogEvents, this is indeed required for fetching cloudwatch logs events.

could you try to add it to the IAM resource you use?

we will fix the documentation as well

davide.lilliu · July 22, 2022, 1:30pm

Hi @Andrea_Spacca ,

thanks for the answer and for welcome.

i add the aws permission that you told me, but it doesn't work again, now we have a different message on filebeat logs.

{"log.level":"warn","@timestamp":"2022-07-22T12:34:28.385Z","log.logger":"elasticsearch","log.origin":{"file.name":"elasticsearch/client.go","file.line":429},"message":"Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.April, 26, 12, 34, 45, 0, time.UTC), Meta:{\"_id\":\"36818005933506741614627722203827005425098558727599030300\",\"raw_index\":\"logs-generic-default\"}, Fields:{\"agent\":{\"ephemeral_id\":\"1b80399f-afbb-426c-b974-3ae9af85977b\",\"id\":\"440b5ec3-9985-41e6-887f-3259900d61d9\",\"name\":\"ip-172-40-5-254.eu-west-1.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.3.2\"},\"aws.cloudwatch\":{\"ingestion_time\":\"2022-04-26T12:34:53.000Z\",\"log_group\":\"/aws/lambda/APIShare_Cognito_Authorizers\",\"log_stream\":\"2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\"},\"awscloudwatch\":{\"ingestion_time\":\"2022-04-26T12:34:53.000Z\",\"log_group\":\"/aws/lambda/APIShare_Cognito_Authorizers\",\"log_stream\":\"2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\"},\"cloud\":{\"provider\":\"aws\",\"region\":\"eu-west-1\"},\"container\":{\"id\":\"04\"},\"data_stream\":{\"dataset\":\"generic\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"440b5ec3-9985-41e6-887f-3259900d61d9\",\"snapshot\":false,\"version\":\"8.3.2\"},\"event\":{\"dataset\":\"generic\",\"id\":\"36818005933506741614627722203827005425098558727599030300\",\"ingested\":\"2022-07-22T12:33:33.054Z\"},\"input\":{\"type\":\"aws-cloudwatch\"},\"log.file.path\":\"/aws/lambda/APIShare_Cognito_Authorizers/2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\",\"message\":\"2\\n\",\"tags\":[\"forwarded\",\"aws-cloudwatch-logs\"]}, Private:(*aws.EventACKTracker)(0xc000643560), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=403): {\"type\":\"security_exception\",\"reason\":\"action [indices:admin/auto_create] is unauthorized for API key id [yjLUJYIBu4Mq7F4vLShT] of user [elastic/fleet-server] on indices [logs-generic-default], this action is granted by the index privileges [auto_configure,create_index,manage,all]\"}, dropping event!","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-07-22T12:34:28.386Z","log.logger":"elasticsearch","log.origin":{"file.name":"elasticsearch/client.go","file.line":429},"message":"Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.April, 26, 12, 34, 45, 0, time.UTC), Meta:{\"_id\":\"36818005933506741614627722203827005425098558727599030301\",\"raw_index\":\"logs-generic-default\"}, Fields:{\"agent\":{\"ephemeral_id\":\"1b80399f-afbb-426c-b974-3ae9af85977b\",\"id\":\"440b5ec3-9985-41e6-887f-3259900d61d9\",\"name\":\"ip-172-40-5-254.eu-west-1.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.3.2\"},\"aws.cloudwatch\":{\"ingestion_time\":\"2022-04-26T12:34:53.000Z\",\"log_group\":\"/aws/lambda/APIShare_Cognito_Authorizers\",\"log_stream\":\"2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\"},\"awscloudwatch\":{\"ingestion_time\":\"2022-04-26T12:34:53.000Z\",\"log_group\":\"/aws/lambda/APIShare_Cognito_Authorizers\",\"log_stream\":\"2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\"},\"cloud\":{\"provider\":\"aws\",\"region\":\"eu-west-1\"},\"container\":{\"id\":\"04\"},\"data_stream\":{\"dataset\":\"generic\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"440b5ec3-9985-41e6-887f-3259900d61d9\",\"snapshot\":false,\"version\":\"8.3.2\"},\"event\":{\"dataset\":\"generic\",\"id\":\"36818005933506741614627722203827005425098558727599030301\",\"ingested\":\"2022-07-22T12:33:33.054Z\"},\"input\":{\"type\":\"aws-cloudwatch\"},\"log.file.path\":\"/aws/lambda/APIShare_Cognito_Authorizers/2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\",\"message\":\"0\\n\",\"tags\":[\"forwarded\",\"aws-cloudwatch-logs\"]}, Private:(*aws.EventACKTracker)(0xc000643560), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=403): {\"type\":\"security_exception\",\"reason\":\"action [indices:admin/auto_create] is unauthorized for API key id [yjLUJYIBu4Mq7F4vLShT] of user [elastic/fleet-server] on indices [logs-generic-default], this action is granted by the index privileges [auto_configure,create_index,manage,all]\"}, dropping event!","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-07-22T12:34:28.386Z","log.logger":"elasticsearch","log.origin":{"file.name":"elasticsearch/client.go","file.line":429},"message":"Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.April, 26, 12, 34, 45, 0, time.UTC), Meta:{\"_id\":\"36818005933506741614627722203827005425098558727599030302\",\"raw_index\":\"logs-generic-default\"}, Fields:{\"agent\":{\"ephemeral_id\":\"1b80399f-afbb-426c-b974-3ae9af85977b\",\"id\":\"440b5ec3-9985-41e6-887f-3259900d61d9\",\"name\":\"ip-172-40-5-254.eu-west-1.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.3.2\"},\"aws.cloudwatch\":{\"ingestion_time\":\"2022-04-26T12:34:53.000Z\",\"log_group\":\"/aws/lambda/APIShare_Cognito_Authorizers\",\"log_stream\":\"2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\"},\"awscloudwatch\":{\"ingestion_time\":\"2022-04-26T12:34:53.000Z\",\"log_group\":\"/aws/lambda/APIShare_Cognito_Authorizers\",\"log_stream\":\"2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\"},\"cloud\":{\"provider\":\"aws\",\"region\":\"eu-west-1\"},\"container\":{\"id\":\"04\"},\"data_stream\":{\"dataset\":\"generic\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"440b5ec3-9985-41e6-887f-3259900d61d9\",\"snapshot\":false,\"version\":\"8.3.2\"},\"event\":{\"dataset\":\"generic\",\"id\":\"36818005933506741614627722203827005425098558727599030302\",\"ingested\":\"2022-07-22T12:33:33.054Z\"},\"input\":{\"type\":\"aws-cloudwatch\"},\"log.file.path\":\"/aws/lambda/APIShare_Cognito_Authorizers/2022/04/26/[$LATEST]af7d872c0e3a41f9bba7f8bfac7fe00a\",\"message\":\"key index 0\\n\",\"tags\":[\"forwarded\",\"aws-cloudwatch-logs\"]}, Private:(*aws.EventACKTracker)(0xc000643560), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=403): {\"type\":\"security_exception\",\"reason\":\"action [indices:admin/auto_create] is unauthorized for API key id [yjLUJYIBu4Mq7F4vLShT] of user [elastic/fleet-server] on indices [logs-generic-default], this action is granted by the index privileges [auto_configure,create_index,manage,all]\"}, dropping event!","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-22T12:36:32.443Z","log.logger":"input.aws-cloudwatch.cloudwatch_poller","log.origin":{"file.name":"awscloudwatch/input.go","file.line":213},"message":"aws-cloudwatch input worker for log group: '/aws/lambda/APIShare_Cognito_Authorizers' has started","service.name":"filebeat","id":"aws-cloudwatch-aws_logs.generic-1a07a8ba-6b51-4569-bec2-9798c98d478f","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-22T12:36:35.123Z","log.logger":"input.aws-cloudwatch.cloudwatch_poller","log.origin":{"file.name":"awscloudwatch/input.go","file.line":213},"message":"aws-cloudwatch input worker for log group: '/aws/lambda/APIShare_Cognito_Authorizers' has started","service.name":"filebeat","id":"aws-cloudwatch-aws_logs.generic-1a07a8ba-6b51-4569-bec2-9798c98d478f","ecs.version":"1.6.0"}

system · August 19, 2022, 3:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Collect logs from Amazon CloudWatch with Elastic Agent Beats elastic-stack-monitoring , elastic-stack-security , fleet , elastic-agent	3	1083	May 16, 2022
Elastic Agent error out with log_group_arn, log_group_name and log_group_name_prefix config cannot all be empty Elasticsearch	1	412	August 24, 2023
Filebeat: failed FilterLogEventsRequestRequestCanceled Beats filebeat	2	689	April 1, 2021
Monitor specific AWS Cloudwatch log_stream Elastic Agent fleet , integrations	1	595	October 26, 2022
Custom Pipeline with Elastic Agent AWS EC2 Cloudwatch Log integration Elastic Agent fleet	3	410	October 26, 2022

Elastic Agent : AWS CloudWatch Fleet Integration Fail with RequestCanceledError

Related topics