我有一个运行 PHP 的 Elastic Beanstalk 应用程序,并且我启用了 CloudWatch 日志流。我已成功接收默认日志(例如
/var/log/nginx/access.log
),但我还想包括 PHP 错误日志:/var/log/php-fpm/www-error.log
.
我按照 Elastic Beanstalk 自定义日志流式传输指南,它指出了 logs-streamtocloudwatch-linux.config 文件,所以我在我的
.ebextensions/logs-streamtocloudwatch-linux.config
中添加了以下内容:
packages:
yum:
awslogs: []
files:
"/etc/awslogs/awscli.conf" :
mode: "000600"
owner: root
group: root
content: |
[plugins]
cwlogs = cwlogs
[default]
region = `{"Ref":"AWS::Region"}`
"/etc/awslogs/awslogs.conf" :
mode: "000600"
owner: root
group: root
content: |
[general]
state_file = /var/lib/awslogs/agent-state
"/etc/awslogs/config/logs.conf" :
mode: "000600"
owner: root
group: root
content: |
[/var/log/php-fpm/www-error.log]
log_group_name = `{"Fn::Join":["/", ["/aws/elasticbeanstalk", { "Ref":"AWSEBEnvironmentName" }, "var/log/php-fpm/www-error.log"]]}`
log_stream_name = {instance_id}
file = /var/log/php-fpm/www-error.log
commands:
"01":
command: systemctl enable awslogsd.service
"02":
command: systemctl restart awslogsd
部署我的应用程序后,我能够通过执行
awslogsd
来验证sudo systemctl status awslogsd.service
确实在运行:
● awslogsd.service - awslogs daemon
Loaded: loaded (/usr/lib/systemd/system/awslogsd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-04-25 04:38:01 UTC; 42min ago
Main PID: 12100 (aws)
CGroup: /system.slice/awslogsd.service
└─12100 /usr/bin/python2 -s /usr/bin/aws logs push --config-file /etc/awslogs/awslogs.conf --additional-configs-dir /etc/awslogs/config
Apr 25 04:38:01 ip-172-31-40-232.eu-west-1.compute.internal systemd[1]: Started awslogs daemon.
然而,日志没有出现,所以我打开
/var/log/awslogs.log
看到了这个:
2023-04-25 05:23:29,023 - cwlogs.push - INFO - 15899 - MainThread - Loading additional configs from /etc/awslogs/config/logs.conf
2023-04-25 05:23:29,024 - cwlogs.push - INFO - 15899 - MainThread - Missing or invalid value for use_gzip_http_content_encoding config. Defaulting to use gzip encoding.
2023-04-25 05:23:29,024 - cwlogs.push - INFO - 15899 - MainThread - Missing or invalid value for queue_size config. Defaulting to use 10
2023-04-25 05:23:29,024 - cwlogs.push - INFO - 15899 - MainThread - Using default logging configuration.
2023-04-25 05:23:29,030 - cwlogs.push - WARNING - 15899 - MainThread - Unable to get instance id, use ip-172-31-40-232.eu-west-1.compute.internal instead.
2023-04-25 05:23:29,032 - cwlogs.push.stream - INFO - 15899 - Thread-1 - Starting publisher for [112e68af25774e9b29f317ecff7ab444, /var/log/php-fpm/www-error.log]
2023-04-25 05:23:29,032 - cwlogs.push.stream - INFO - 15899 - Thread-1 - Starting reader for [112e68af25774e9b29f317ecff7ab444, /var/log/php-fpm/www-error.log]
2023-04-25 05:23:29,033 - cwlogs.push.reader - INFO - 15899 - Thread-4 - Replay events end at 440.
2023-04-25 05:23:29,033 - cwlogs.push.reader - INFO - 15899 - Thread-4 - Start reading file from 0.
2023-04-25 05:23:30,073 - cwlogs.push.publisher - WARNING - 15899 - Thread-3 - Caught exception: An error occurred (ResourceNotFoundException) when calling the PutLogEvents operation: The specified log stream does not exist.
2023-04-25 05:23:30,082 - cwlogs.push.batch - INFO - 15899 - Thread-3 - Creating log group /aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log.
2023-04-25 05:23:30,140 - cwlogs.push.batch - WARNING - 15899 - Thread-3 - CreateLogGroup failed with exception An error occurred (AccessDeniedException) when calling the CreateLogGroup operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/aws-elasticbeanstalk-ec2-role/i-09e9f90439a175bb1 is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:eu-west-1:XXXXXXXXXXXX:log-group:/aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log:log-stream: because no identity-based policy allows the logs:CreateLogGroup action
2023-04-25 05:23:30,140 - cwlogs.push.batch - WARNING - 15899 - Thread-3 - An error occurred (AccessDeniedException) when calling the CreateLogGroup operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/aws-elasticbeanstalk-ec2-role/i-09e9f90439a175bb1 is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:eu-west-1:XXXXXXXXXXXX:log-group:/aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log:log-stream: because no identity-based policy allows the logs:CreateLogGroup action
2023-04-25 05:23:30,140 - cwlogs.push.batch - WARNING - 15899 - Thread-3 - Method "_setup_resources" failed, backing off 1.28654892445 seconds, and retrying
如您所见,存在权限错误,CloudWatch 代理无法创建日志组:
调用 CreateLogGroup 操作时发生错误(AccessDeniedException):用户:arn:aws:sts::XXXXXXXXXXXX:assumed-role/aws-elasticbeanstalk-ec2-role/i-09e9f90439a175bb1 无权执行:logs:CreateLogGroup on resource : arn:aws:logs:eu-west-1:XXXXXXXXXXXX:log-group:/aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log:log-stream: 因为没有身份-基于策略允许日志:CreateLogGroup 操作
因为一个日志组只需要创建一次,所以我想手动创建它,而不是添加权限
aws-elasticbeanstalk-ec2-role
。所以我去了 AWS 控制台,手动创建了 /aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log
日志组并使用 aws logs describe-log-groups
: 进行了验证
- arn: arn:aws:logs:eu-west-1:XXXXXXXXXXXX:log-group:/aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log:*
creationTime: 1682396467491
logGroupName: /aws/elasticbeanstalk/Project-env/var/log/php-fpm/www-error.log
metricFilterCount: 0
retentionInDays: 7
storedBytes: 0
然后我使用
sudo systemctl restart awslogsd.service
重新启动了 CloudWatch 代理,但我得到了完全相同的错误。我尝试重新启动应用程序服务器,甚至重新部署应用程序,但没有任何帮助。
我仔细检查了名字,它是匹配的,所以它不是错字。因此,为什么 CloudWatch 代理会尝试创建一个已经存在的日志组?
我担心这个 CloudWatch 代理已经过时,因为我之前链接的 Elastic Beanstalk 文档 提到了 CloudWatch Logs 代理参考,它说明如下:
此参考资料适用于已弃用的旧版 CloudWatch Logs 代理。如果您使用实例元数据服务版本 2 (IMDSv2),则必须使用新的统一 CloudWatch 代理。即使您不使用 IMDSv2,我们也强烈建议您使用更新的统一 CloudWatch 代理而不是旧的日志代理。
我只是偶然发现了已弃用软件中的错误,还是我做错了什么?
编辑: 这个 Stack Overflow 问题 中的问题是一个拼写错误,CloudWatch 使用了不正确的区域。我不是这样的。这是
sudo cat /etc/awslogs/awscli.conf
的结果:
[plugins]
cwlogs = cwlogs
[default]
region = eu-west-1
……我的地区确实是
eu-west-1
(爱尔兰)。