diff --git a/docs/integration/aws/.pages b/docs/integration/aws/.pages index 0527ad7..ab8bfb7 100644 --- a/docs/integration/aws/.pages +++ b/docs/integration/aws/.pages @@ -2,4 +2,8 @@ nav: - Amazon EC2 : ec2.md - Application Load Balancer(ALB) : alb.md - - Amazon Virtual Private Cloud : vpc-flow.md \ No newline at end of file + - Amazon Virtual Private Cloud : vpc-flow.md + - Amazon Cognito : cognito.md + - AWS Cloudwatch logs: cloudwatch-logs.md + - Amazon EventBridge : eventbridge.md + diff --git a/docs/integration/aws/cloudwatch-logs.md b/docs/integration/aws/cloudwatch-logs.md new file mode 100644 index 0000000..26a3f1f --- /dev/null +++ b/docs/integration/aws/cloudwatch-logs.md @@ -0,0 +1,85 @@ +--- +title: AWS CloudWatch Logs Integration Guide +description: Stream CloudWatch Logs to OpenObserve using Kinesis Firehose and HTTP delivery. +--- + +# Integration with AWS CloudWatch Logs + +This guide explains how to *stream logs from AWS CloudWatch* to OpenObserve using Kinesis Firehose with an HTTP endpoint. + +## Overview + +Forward application or infrastructure logs from CloudWatch Logs to OpenObserve in near real-time. +The integration uses **CloudWatch Logs subscriptions** to stream log data into **Kinesis Firehose**, which then delivers it to **OpenObserve over HTTP**. + +This approach enables centralized log analysis, alerting, and visualization in OpenObserve without storing logs in S3 or managing Lambda transformations. + +## Steps to Integrate + +??? "Prerequisites" + - OpenObserve account ([Cloud](https://cloud.openobserve.ai/web/) or [Self-Hosted](../../../quickstart/#self-hosted-installation)) + - AWS account with: + - CloudWatch Log Group(s) + - IAM permissions to create Firehose streams and set up log subscriptions + +??? "Step 1: Get OpenObserve Ingestion URL and Access Key" + + 1. In OpenObserve: go to **Data Sources → Recommended → AWS** + 2. Copy the ingestion HTTP URL and Access Key + + ![Fetch OpenObserve Ingestion URL](../images/aws-integrations/vpc-flow/fetch-url.png) + + > Example format: + > ``` + > https:///aws/default/cloudwatch-logs/_kinesis_firehose + > ``` + + +??? "Step 2: Create a Kinesis Firehose Delivery Stream" + + 1. In AWS Kinesis Firehose, Create delivery stream. + 2. Set Source: `Direct PUT` and Destination: `HTTP Endpoint`. + 3. Provide OpenObserve's HTTP Endpoint URL and Access Key, and set an S3 backup bucket. + 4. Give the stream a meaningful name and Create it. + + ![Kinesis Firehose Delivery Stream](../images/aws-integrations/cloudwatch-logs/firehose-stream.png) + +??? "Step 3: Attach CloudWatch Logs to Firehose" + + 1. Go to **CloudWatch → Log Groups** + 2. Select the log group you want to stream + 3. Click **Actions → Create subscription filter** + 4. Choose: + - **Destination**: `Kinesis Firehose` + - **Delivery stream**: the stream created in Step 2 + 5. Set a filter pattern (e.g., `""` to send all logs) + 6. Click **Start streaming** + + ![Attach CloudWatch Logs to Firehose](../images/aws-integrations/cloudwatch-logs/subscription-filter.png) + +??? "Step 4: Verify Logs in OpenObserve" + + 1. Go to **Logs** → select your log stream → Set time range → Click **Run Query** + + ![Verify Logs in OpenObserve](../images/aws-integrations/cloudwatch-logs/cloudwatch-logs.png) + +??? "Troubleshooting" + + **Not seeing logs in OpenObserve?** + + Check the following: + + - **CloudWatch Logs** + - Ensure log events are being generated and the correct log group is selected. + - Verify that the subscription filter is active. + - **Firehose** + - Confirm the delivery stream is active and not reporting errors. + - Review the Monitoring tab for delivery status. + - Check the backup S3 bucket (if configured) for failed records. + - **OpenObserve** + - Validate the HTTP ingestion URL and access key. + - In the Logs view, select the correct stream and expand the time range. + + **Start Streaming Fails after creating Subscription Filter** + + Check the IAM role attached to the filter has full acess to Kinesis Firehose. \ No newline at end of file diff --git a/docs/integration/aws/cognito.md b/docs/integration/aws/cognito.md new file mode 100644 index 0000000..f6ed6f1 --- /dev/null +++ b/docs/integration/aws/cognito.md @@ -0,0 +1,86 @@ +--- + +title: AWS Cognito Logs Integration Guide +description: Stream AWS Cognito authentication events to OpenObserve using CloudTrail, EventBridge, and Kinesis Firehose. + +--- + +# Integration with AWS Cognito + +This guide explains how to *stream* AWS Cognito authentication events to OpenObserve using Amazon CloudTrail, EventBridge, and Kinesis Firehose. + +## Overview + +Monitor login attempts, user activity, and authentication behavior from Amazon Cognito by streaming events into OpenObserve for analysis. This integration uses CloudTrail to capture Cognito API calls, EventBridge to route events, and Firehose to deliver them to OpenObserve. + +## Steps to Integrate + +??? "Prerequisites" + - OpenObserve account ([Cloud](https://cloud.openobserve.ai/web/) or [Self-Hosted](../../../quickstart/#self-hosted-installation)) + - AWS account with: + - Cognito User Pool + - Permissions to create EventBridge rules and Firehose streams + +??? "Step 1: Enable CloudTrail Management Events" + + 1. Go to **AWS CloudTrail → Trails** + 2. Ensure you have a trail that logs **management events** + 3. If not: + - Click **Create trail** + - Name it (e.g., `CognitoTrail`) + - Enable **Management events** (Read/Write or Write-only) + - Choose a destination S3 bucket (new or existing) + - Complete trail creation + +??? "Step 2: Get OpenObserve Ingestion URL and Access Key" + + 1. In OpenObserve: go to **Data Sources → Recommended → AWS** + 2. Copy the ingestion URL and Access Key + + ![Get OpenObserve Ingestion URL and Access Key](../images/aws-integrations/vpc-flow/fetch-url.png) + + > Update the URL to have the stream name of your choice: + > ``` + > https:///aws/default//_kinesis_firehose + > ``` + + +??? "Step 3: Create Firehose Delivery Stream" + + 1. In AWS Kinesis Firehose, Create delivery stream with Source: `Direct PUT` and Destination: `HTTP Endpoint`. + 2. Provide OpenObserve's HTTP Endpoint URL and Access Key, and set an S3 backup bucket. + 3. Give the stream a meaningful name and Create it. + +??? "Step 4: Create EventBridge Rule to Capture Cognito Events" + + 1. Go to **EventBridge > Rules** and click **Create rule** + 2. Name the rule (e.g., `CognitoToOpenObserve`) + 3. Set event pattern: + ```json + { + "source": ["aws.cognito-idp"] + } + ``` + 4. Set the target to **Kinesis Firehose** and choose the delivery stream + 5. Click **Create rule** + + ![Create EventBridge Rule to Capture Cognito Events](../images/aws-integrations/cognito/event-rule.png) + + +??? "Step 5: Verify Logs in OpenObserve" + + 1. Go to **Logs** → select your log stream → Set time range → Click **Run Query** + + ![Verify Cognito Logs](../images/aws-integrations/cognito/log-stream.png) + +??? "Troubleshooting" + + + **No logs appearing?** + + - Ensure your CloudTrail is capturing **management events** + - Confirm your EventBridge rule has **matched events** recently + - Check if Firehose is delivering logs (see monitoring tab in Firehose) + - Verify that the OpenObserve URL and Access Key are valid + - Look for failed logs in your backup S3 bucket + diff --git a/docs/integration/aws/eventbridge.md b/docs/integration/aws/eventbridge.md new file mode 100644 index 0000000..334c797 --- /dev/null +++ b/docs/integration/aws/eventbridge.md @@ -0,0 +1,119 @@ +--- +title: AWS EventBridge Logs Integration Guide +description: Stream AWS API activity logs to OpenObserve using CloudTrail, EventBridge, and Kinesis Firehose. +--- + +# Integration with AWS EventBridge + +This guide explains how to *stream AWS management activity events* to OpenObserve using AWS CloudTrail, Amazon EventBridge, and Kinesis Firehose. + +## Overview + +Monitor and analyze AWS API activity (e.g., EC2 starts, IAM changes, S3 access) by routing events from **CloudTrail → EventBridge → Firehose → OpenObserve**. + +- **CloudTrail** captures management-level API calls across AWS services +- **EventBridge** filters and routes specific CloudTrail events +- **Kinesis Firehose** delivers those events reliably to OpenObserve over HTTP + +> **Note:** EventBridge *can* send events directly to OpenObserve using its HTTP target support. +> However, we recommend using **Kinesis Firehose** in production for: +> +> - Built-in retry logic and failure handling +> - Optional S3 backup for undelivered events + + +## Steps to Integrate + +??? "Prerequisites" + - OpenObserve account ([Cloud](https://cloud.openobserve.ai/web/) or [Self-Hosted](../../../quickstart/#self-hosted-installation)) + - AWS account with: + - CloudTrail enabled for management events + - IAM permissions to create EventBridge rules and Firehose streams + + +??? "Step 1: Ensure CloudTrail Management Events Are Enabled" + + 1. Go to **AWS Console → CloudTrail → Trails** + 2. Check if a trail exists that logs **management events** + 3. If not: + - Click **Create trail** + - Name the trail (e.g., `DefaultManagementTrail`) + - Enable **Management events** (Read/Write or Write-only) + - Choose an S3 bucket for storage (existing or new) + - Complete the trail creation + + > CloudTrail acts as the *source* of API activity events across AWS. + + +??? "Step 2: Get OpenObserve Ingestion URL and Access Key" + + 1. In OpenObserve: go to **Data Sources → Recommended → AWS** + 2. Copy the HTTP ingestion URL and Access Key + + ![Get OpenObserve Ingestion URL and Access Key](../images/aws-integrations/vpc-flow/fetch-url.png) + + > Example ingestion URL: + > ``` + > https:///aws/default/cloudtrail-events/_kinesis_firehose + > ``` + + +??? "Step 3: Create Firehose Delivery Stream to OpenObserve" + + 1. In AWS Kinesis Firehose, Create delivery stream with Source: `Direct PUT` and Destination: `HTTP Endpoint`. + 2. Provide OpenObserve's HTTP Endpoint URL and Access Key, and set an S3 backup bucket. + 3. Give the stream a meaningful name and Create it. + + +??? "Step 4: Create EventBridge Rule to Forward CloudTrail Events" + + 1. Go to **EventBridge > Rules** and click **Create rule** + 2. Name it (e.g., `ForwardCloudTrailEvents`) + 3. Choose: + - **Event Source**: `AWS events or EventBridge partner events` + - **Event Pattern**: + ```json + { + "source": ["aws.cloudtrail"], + "detail-type": ["AWS API Call via CloudTrail"] + } + ``` + 4. Set the target to **Kinesis Firehose** and choose the delivery stream + 5. Click **Create rule** + + +??? "Step 5: Verify Logs in OpenObserve" + + 1. Go to **Logs** → select your log stream → Set time range → Click **Run Query** + 2. You should see logs like: + ```json + { + "eventSource": "ec2.amazonaws.com", + "eventName": "StartInstances", + "userIdentity": { ... }, + "awsRegion": "us-east-1", + ... + } + ``` + + +??? "Troubleshooting" + + **No logs appearing in OpenObserve?** + + - CloudTrail: + - Ensure management events are enabled and recent API activity has occurred. + + - EventBridge: + - Confirm the rule is matching events. + - Check the Monitoring tab for recent invocations or matched event counts. + + - Firehose: + - Verify the delivery stream is active and error-free. + - Review the Monitoring tab and look for failed deliveries. + + - OpenObserve: + - Confirm the HTTP ingestion URL and access key are correct. + - In the Logs view, select the correct stream and expand the time range to view recent data. + + diff --git a/docs/integration/images/aws-integrations/cloudwatch-logs/cloudwatch-logs.png b/docs/integration/images/aws-integrations/cloudwatch-logs/cloudwatch-logs.png new file mode 100644 index 0000000..a793cb2 Binary files /dev/null and b/docs/integration/images/aws-integrations/cloudwatch-logs/cloudwatch-logs.png differ diff --git a/docs/integration/images/aws-integrations/cloudwatch-logs/firehose-stream.png b/docs/integration/images/aws-integrations/cloudwatch-logs/firehose-stream.png new file mode 100644 index 0000000..e8fc4ce Binary files /dev/null and b/docs/integration/images/aws-integrations/cloudwatch-logs/firehose-stream.png differ diff --git a/docs/integration/images/aws-integrations/cloudwatch-logs/subscription-filter.png b/docs/integration/images/aws-integrations/cloudwatch-logs/subscription-filter.png new file mode 100644 index 0000000..5f54105 Binary files /dev/null and b/docs/integration/images/aws-integrations/cloudwatch-logs/subscription-filter.png differ diff --git a/docs/integration/images/aws-integrations/cognito/event-rule.png b/docs/integration/images/aws-integrations/cognito/event-rule.png new file mode 100644 index 0000000..0d9ca06 Binary files /dev/null and b/docs/integration/images/aws-integrations/cognito/event-rule.png differ diff --git a/docs/integration/images/aws-integrations/cognito/log-stream.png b/docs/integration/images/aws-integrations/cognito/log-stream.png new file mode 100644 index 0000000..fb71146 Binary files /dev/null and b/docs/integration/images/aws-integrations/cognito/log-stream.png differ diff --git a/docs/integration/images/aws-integrations/vpc-flow/fetch-url.png b/docs/integration/images/aws-integrations/vpc-flow/fetch-url.png index 19b5cef..ff0d338 100644 Binary files a/docs/integration/images/aws-integrations/vpc-flow/fetch-url.png and b/docs/integration/images/aws-integrations/vpc-flow/fetch-url.png differ