This sample exam lab was taken from our AWS Certified SysOps Administrator Associate Practice Exams. Check out our practice test course for more exam lab scenarios.

LEARNING OBJECTIVE

The goal of this lab exercise is to help you understand how you can leverage CloudWatch Logs, CloudWatch Metrics, CloudWatch Alarms, and Amazon SNS services in creating an automated alarm system that can inform you of unusual activity in your AWS cloud environment.

TIME: 20 MINUTES

SCENARIO

In this scenario, you have to create a CloudWatch alarm that publishes a message to an SNS topic when triggered. The alarm state is based on a custom metric filter generated from a CloudWatch log group. You also need to test the metric filter if it correctly filters the logs based on the criteria detailed in the instructions.

INSTRUCTIONS

1. Create an SNS topic and name it td-instance-alarms.

2. Create an email subscription to the topic using td-labs@tutorialsdojo.com.

3. Create a log group and name it td-instance-logs and configure the log group to retain logs for 1 year.

4. Create a metric filter using the td-instance-logs log group and name it td-instance-http-5xx-metric. Create a filter pattern that monitors all of the HTTP 500-level errors and name it td-instance-http-5xx-filter. Use these log events to test the pattern you created.

1127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287 2
127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287 3
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /~test/ HTTP/1.1" 200 3 4
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 501 308 5
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 503 308 6
127.0.0.1 - - [24/Sep/2013:11:51:34 -0700] "GET /~test/index.html HTTP/1.1" 200 3

5. Create an alarm using the custom metric filter you just created. Set the metric name to td-instance-http-5xx-sum.

6. Configure the alarm to evaluate every minute and set the total threshold to greater than 5. Then, set the alarm threshold to 3 units.

7. Publish a message to the td-instance-alarms topic when ALARM state is triggered. Set the alarm name to td-instance-5xx-alarm.

You can stop at this point and try the lab exercise by yourself. Else, you can also proceed with the walkthrough we created to guide you in performing this lab exercise.

EXAM LAB GUIDE

Instruction #1 – Create an SNS topic and name it td-instance-alarms.

In this scenario, the type of SNS topic that will be created for this lab is a Standard type since the SNS topic required doesn’t need to send messages to an Amazon SQS FIFO queue.

1. First, navigate to the Amazon SNS page, and on the navigation panel, select Topics.

2. On the Topics Page, select Create topic.

3. On the Create topic page, in the Details section, define the topic type and the name:

a. Choose Standard as Type.

b. Enter td-instance-alarms as name

4. Then, click Create Topic.

INSTRUCTION #2 – Create an email subscription to the topic using td-labs@tutorialsdojo.com.

Creating an email subscription to an SNS topic is straightforward.

1. Select the SNS topic td-instance-alarms

2. Go to the Subscriptions tab and click Create subscription.

3. Choose Email as the Protocol, and enter the email td-labs@gmail.com.

Instruction #3 – Create a log group and name it td-instance-logs and configure the log group to retain logs for 1 year.

1. Create a CloudWatch page and on the navigation panel, click Log groups.

2. Set the log group name to td-instance-log-group, and the retention setting to 12 months.

3. Click Create.

Instruction #4 – Create a metric filter using the td-instance-logs log group and name td-instance-http-5xx-metric. Create a filter pattern that monitors all of the HTTP 500-level errors and name it td-instance-http-5xx-filter. Use these log events to test the pattern you created.

127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287
127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /~test/ HTTP/1.1" 200 3
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 501 308
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 503 308
127.0.0.1 - - [24/Sep/2013:11:51:34 -0700] "GET /~test/index.html HTTP/1.1" 200 3

In this step, there are three things that need to be done. The first is to create a metric filter from the log group. Then, define the filter pattern. Last is to test the pattern using the sample log events provided.

1. Navigate to the CloudWatch page, and on the navigation panel, click Log groups.

2. Select the name of the log group.

3. Select Actions, and then click Create metric filter.

4. Create a metric filter pattern that detects all the HTTP 5xx errors logged.

• On the Create metric filter page, define the filter pattern.

• To create a filter pattern, we need to understand the anatomy of a log event. Take a look at this log entry that details information about an HTTP request.

127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287

• Notice that each data is separated by a space character. Each of these data is called a term. In this scenario, you have seven terms, and the sixth term represents the HTTP status code of the log event.

• Suppose you have a log stream that contains log entries for HTTP requests that looks like this:

127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287
127.0.0.1 - - [24/Sep/2013:11:49:52 -0700] "GET /index.html HTTP/1.1" 500 287
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /~test/ HTTP/1.1" 200 3
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 501 308
127.0.0.1 - - [24/Sep/2013:11:50:51 -0700] "GET /favicon.ico HTTP/1.1" 503 308
127.0.0.1 - - [24/Sep/2013:11:51:34 -0700] "GET /~test/index.html HTTP/1.1" 200 3

• You should be able to filter log events that contain HTTP 5xx status code by creating a filter pattern like this:

[host, logName, user, timestamp, request, statusCode=5*, size]

• Notice that there are multiple term names inside the square brackets and each of the term names matches a value in a log event. You should do this when creating a filter pattern with multiple terms.

• The requirement is to filter logs that contain 5xx HTTP status codes. So, you have to include a search condition =5* on the statusCode term. Then, use the asterisk '*' wildcard character to match any text right after a search term.

5. Test if the filter pattern is working.

To test if the filter pattern is working, select Custom Log Data.

You should be able to see 4 logs in the Results section.

6. Click Next and Enter the filter name.

7. Enter the namespace, metric name, metric value, and default value.

8. Hit next, and click Create metric filter.

INSTRUCTION #5 – Create an alarm using the custom metric filter you just created.

You can create an alarm for a metric filter by going to the Metric Filters section of the td-instance-log-group. No need to go to the CloudWatch Alarms page.

1. To create an alarm for a metric filter, go to the td-instance-log-group and select the Metric Filter Section.

2. Select the metric filter you just created and click Create alarm.

3. Set the metric name for the alarm to td-instnace-http-5xx-sum.

INSTRUCTION #6 – Configure the alarm to evaluate every minute and set the total metric threshold to greater than 5. Then, set the alarm threshold to 3 units.

1. Set Statistic to Sum (since we need to create the total metric threshold) and the Period (length of time to evaluate the metric or expression) to 1 minute.

2. Set the condition to greater than 5.

3. The instruction that states “set the alarm threshold to 3 units” means that you need to define the number of data points that must be breached to cause the alarm to go into the ALARM state in between the evaluation periods. Since it is 3 units, it means that both the Evaluation Period and Datapoints to alarm should be set to 3.

The first number represents the Datapoints to Alarm and the latter represents the Evaluation Period.

Instruction #7 -Publish a message to the td-instance-alarms topic when the ALARM state is triggered.

1. Set the In alarm notification to an SNS topic and choose td-instance-alarms.

2. Set the alarm name to td-instance-5xx-alarm.