Remote Logging test for AWS CloudWatch Agent

[micchickenburger]

Is your feature request related to a problem? Please describe. In the Checking remote logging test, it doesn't seem that lynis is aware of AWS CloudWatch Agent, which can be configured to send logs to a CloudWatch log stream for both EC2 instances and on-prem servers.

Describe the solution you'd like I think finding the amazon cloudwatch agent configuration file and checking to see that the logs list has contents could work. I think the configuration path is typically /opt/aws/amazon-cloudwatch-agent/bin/config.json.

Using jq, here is an example of validating that this agent is configured for remote logging (as opposed to just metrics collection):

$ cat /opt/aws/amazon-cloudwatch-agent/bin/config.json | jq '.logs.logs_collected.files.collect_list | length'
3

In this case there are three logs that are being sent remotely to CloudWatch. Example contents of these three log file configurations is as follows:

$ cat /opt/aws/amazon-cloudwatch-agent/bin/config.json | jq '.logs.logs_collected.files.collect_list'

[
  {
    "file_path": "/var/log/auth.log",
    "log_group_name": "auth.log",
    "log_stream_name": "{instance_id}",
    "retention_in_days": 90
  },
  {
    "file_path": "/var/log/kern.log",
    "log_group_name": "kern.log",
    "log_stream_name": "{instance_id}",
    "retention_in_days": 90
  },
  {
    "file_path": "/var/log/syslog",
    "log_group_name": "syslog",
    "log_stream_name": "{instance_id}",
    "retention_in_days": 90
  }
]

And of course, validating that the service is even running:

$ sudo systemctl status amazon-cloudwatch-agent

Required changes A new tests needs to be added.

[micchickenburger]

There is also a log-config.json file that could be checked to see if it exists and contains contents other than {}.

$ cat /opt/aws/amazon-cloudwatch-agent/etc/log-config.json 
{"version":"1","log_configs":[{"log_group_name":"auth.log"},{"log_group_name":"kern.log"},{"log_group_name":"syslog"}],"region":"us-east-2"}