系列文章
- Grafana 系列文章
AWS Cloudwatch 数据源
对于 AWS Cloudwatch, 次要在于 3 种不同的认证形式:
- AWS SDK Default
- IAM Role
- AK&SK
- Credentials file
当初举荐的是应用 IAM Role 的认证形式,防止了密钥泄露的危险。
然而特地要留神的是,要读取 CloudWatch 指标和 EC2 标签 (tags)、实例、区域和告警,你必须通过 IAM 授予 Grafana 权限。你能够将这些权限附加到你在 AWS 认证中配置的 IAM role 或 IAM 用户。
IAM policy 示例如下:
Metrics-only:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingMetricsFromCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetInsightRuleReport" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ]}Logs-only:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingLogsFromCloudWatch", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:GetLogGroupFields", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogEvents" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ]}Metrics and Logs:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadingMetricsFromCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetInsightRuleReport" ], "Resource": "*" }, { "Sid": "AllowReadingLogsFromCloudWatch", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:GetLogGroupFields", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogEvents" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ]}跨账号可观测性:
{ "Version": "2012-10-17", "Statement": [ { "Action": ["oam:ListSinks", "oam:ListAttachedLinks"], "Effect": "Allow", "Resource": "*" } ]}AWS Cloudwatch 数据源配置示例
几种认证形式的 AWS CLoudwatch 配置示例如下:
AWS SDK(default):
apiVersion: 1datasources: - name: CloudWatch type: cloudwatch jsonData: authType: default defaultRegion: eu-west-2应用 Credentials 配置文件:
apiVersion: 1datasources: - name: CloudWatch type: cloudwatch jsonData: authType: credentials defaultRegion: eu-west-2 customMetricsNamespaces: 'CWAgent,CustomNameSpace' profile: secondary应用 AK&SK:
apiVersion: 1datasources: - name: CloudWatch type: cloudwatch jsonData: authType: keys defaultRegion: eu-west-2 secureJsonData: accessKey: '<your access key>' secretKey: '<your secret key>'应用 AWS SDK Default 和 IAM Role 的 ARM 来 Assume:
apiVersion: 1datasources: - name: CloudWatch type: cloudwatch jsonData: authType: default assumeRoleArn: arn:aws:iam::123456789012:root defaultRegion: eu-west-2Cloudwatch 自带仪表板
Cloudwatch 自带的几个仪表板都不太好用,倡议应用 monitoringartist/grafana-aws-cloudwatch-dashboards 代替。
创立告警的查问
告警须要返回 numeric 数据的查问,而 CloudWatch Logs 反对这种查问。例如,你能够通过应用 stats 命令来启用告警。
这也是一个无效的查问,用于对包含文本 "Exception" 的音讯收回告警:
filter @message like /Exception/ | stats count(*) as exceptionCount by bin(1h) | sort exceptionCount desc跨账户的可察看性
CloudWatch 插件使您可能跨区域账户监控应用程序并排除故障。利用跨账户的可察看性,你能够无缝地搜寻、可视化和剖析指标和日志,而不用放心账户的界线。
要应用这个性能,请在 AWS 控制台的 Cloudwatch 设置下,配置一个 monitoring 和 source 账户,而后依照上文所述增加必要的 IAM 权限。
三人行, 必有我师; 常识共享, 天下为公. 本文由东风微鸣技术博客 EWhisper.cn 编写.