Sample logging architectures for FireLens on Amazon ECS and AWS Fargate.
We want examples of as many use cases in this repository as possible! Submit a Pull Request if you would like to add something.
- Using the 'file' 'config-file-type'
- Cross Account Log Forwarding
- Source multiple configs from S3 or files
- Using EFS to store configuration files
- Setting awsfirelens log driver buffer limit size
- How to set Fluentd and Fluent Bit input parameters (including Mem_Buf_Limit) in FireLens
- How to prevent OOMKills (Out of Memory) in FireLens
An init tag is distributed with each release, it adds useful features for ECS customers.
- Source multiple configs from S3 or files
- Use ECS Task ID and ECS Metadata in configuration
- Template log group or log stream name using ECS Task ID and ECS Metadata
- Send Fluent Bit internal metrics to CloudWatch
- Fluent Bit Container Health Check Options
- CPU, Disk, and Memory Usage Monitoring with ADOT
- Send Logs to CloudWatch Logs
- Send EMF Metrics to CloudWatch Logs
- Send to Kinesis Data Firehose
- Send to Kinesis Data Stream
- Send to S3
- Send to Amazon OpenSearch Service
- Send to Amazon OpenSearch Serverless Service
- Send to Amazon Managed Service for Prometheus
- Enable Debug Logging
- Forward to a Fluentd or Fluent Bit Log Aggregator
- Parse Serialized JSON
- Parse common log formats
- Parse Envoy Access Logs from AWS App Mesh
- Send to multiple destinations
- Add custom metadata to logs
- Datadog monitoring
- Dynatrace monitoring
- SignalFx monitoring
- New Relic Logs
- Sumo Logic
- SolarWinds Loggly
- Sematext Logs
- Logstash
- Elastic Cloud
- Grafana Cloud
Artifacts for the blog Splitting an application’s logs into multiple streams: a Fluent tutorial
Before you use FireLens, familiarize yourself with Amazon ECS and with the FireLens documentation.
In order to use these examples, you will need the following IAM resources:
- A Task IAM Role with permissions to send logs to your log destination. Each of the examples in this repository that needs additional permissions has a sample policy.
- A Task Execution Role. This role is used by the ECS Agent to make calls on your behalf. If you enable logging for your FireLens container with the
awslogs
Docker Driver, you will need permissions for CloudWatch. You also need to give it S3 permissions if you are pulling an external Fluent Bit or Fluentd configuration file from S3. See the the FireLens documentation for more.
Here is an example inline policy with S3 access for FireLens:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::examplebucket/folder_name/config_file_name"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
You must update each Task Definition to reflect your own needs. Replace the IAM roles with your own roles. Update the log configuration with the values that you desire. And replace the app image with your own application image.
Additionally, several of these examples use a custom Fluent Bit/Fluentd configuration file in S3. You must upload it to your own bucket, and change the S3 ARN in the example Task Definition.
If you are using ECS on Fargate, then pulling a config file from S3 is not currently supported. Instead, you must create a custom Docker image with the config file.
Dockerfile to add a custom configs:
FROM amazon/aws-for-fluent-bit:latest
ADD extra.conf /extra.conf
Then update the firelensConfiguration
options
in the Task Definition to the following:
"options": {
"config-file-type": "file",
"config-file-value": "/extra.conf"
}
This sample code is made available under the MIT-0 license. See the LICENSE file.