diff --git a/docs/observability/aws/deploy-use-aws-observability/deploy-with-aws-cloudformation/index.md b/docs/observability/aws/deploy-use-aws-observability/deploy-with-aws-cloudformation/index.md
index 4a822c768d..d52228dc4c 100644
--- a/docs/observability/aws/deploy-use-aws-observability/deploy-with-aws-cloudformation/index.md
+++ b/docs/observability/aws/deploy-use-aws-observability/deploy-with-aws-cloudformation/index.md
@@ -57,14 +57,14 @@ AWS Observability integrates with the [AWS Observability view](/docs/dashboards/
The table below displays the response for each text box in this section.
-| Prompt | Guideline |
-|:--|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Sumo Logic Deployment Name | Enter au, ca, de, eu, jp, us2, fed, kr, or us1. See [Sumo Logic Endpoints and Firewall Security](/docs/api/about-apis/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for more information on Sumo Logic deployments. |
-| Sumo Logic Access ID | Sumo Logic Access ID. See [Access Keys](/docs/manage/security/access-keys) for more information. |
-| Sumo Logic Access Key | Sumo Logic Access Key. This key is used for Sumo Logic API calls. |
-| Sumo Logic Organization ID | You can find your org on the Preferences page in the Sumo Logic UI. Your org ID will be used to configure the IAM Role for Sumo Logic AWS Sources. |
-| Delete Sumo Logic Resources when stack is deleted | To delete collectors, sources and apps in Sumo Logic when the stack is deleted, set this parameter to "True". If this is set to "False", Sumo Logic resources are not deleted when the AWS CloudFormation stack is deleted. Deletion of updated resources will be skipped. |
-| Send telemetry to Sumo Logic | To send solution telemetry to Sumo Logic. This will help to troubleshoot the issues occurring during solution installation. To Opt-out change this to `false`, default value is `true` |
+| Prompt | Guideline |
+|:--|:--|
+| Sumo Logic Deployment Name | Enter au, ca, de, eu, jp, us2, fed, kr, or us1. See [Sumo Logic Endpoints and Firewall Security](/docs/api/about-apis/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for more information on Sumo Logic deployments. |
+| Sumo Logic Access ID | Sumo Logic Access ID. See [Access Keys](/docs/manage/security/access-keys) for more information. |
+| Sumo Logic Access Key | Sumo Logic Access Key. This key is used for Sumo Logic API calls. |
+| Sumo Logic Organization ID | You can find your org on the Preferences page in the Sumo Logic UI. Your org ID will be used to configure the IAM Role for Sumo Logic AWS Sources. |
+| Delete Sumo Logic Resources when stack is deleted | To delete collectors, sources, and apps in Sumo Logic when the stack is deleted, set this parameter to "True". If this is set to "False", Sumo Logic resources are not deleted when the AWS CloudFormation stack is deleted. Deletion of updated resources will be skipped. |
+| Send telemetry to Sumo Logic | To send solution telemetry to Sumo Logic. This will help to troubleshoot the issues occurring during solution installation. To Opt-out change this to `false`, the default value is `true`. |
## Step 3: AWS account alias
@@ -88,12 +88,12 @@ You should only install the AWS Observability apps and alerts the first time you
The table below displays the response for each text box in this section.
-| Prompt | Guideline |
-| :-- |:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Select the kind of CloudWatch Metrics Source to create | - **CloudWatch Metrics Source** - Creates Sumo Logic AWS CloudWatch Metrics Sources.
- **Kinesis Firehose Metrics Source (Recommended)** - Creates a Sumo Logic AWS Kinesis Firehose for Metrics Source.
**Note:** This new source has cost and performance benefits over the CloudWatch Metrics Source is therefore recommended. - **None** - Skips the Installation of both the Sumo Logic Sources
|
-| Sumo Logic AWS Metrics Namespaces | Enter a comma-delimited list of the namespaces which will be used for AWS CloudWatch Metrics.
The default will be AWS/ApplicationELB, AWS/ApiGateway, AWS/DynamoDB, AWS/Lambda, AWS/RDS, AWS/ECS, AWS/ElastiCache, AWS/ELB, AWS/NetworkELB, AWS/SQS, AWS/SNS, and AWS/EC2. You can provide both AWS as well as custom namespaces.
Supported namespaces are based on the type of CloudWatch Metrics Source you have selected above. See the relevant docs for the [Kinesis Firehose Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source.md) and the [CloudWatch Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics.md) for details on which namespaces they support. |
-| Existing Sumo Logic Metrics Source API URL | You must supply this URL if you are already collecting CloudWatch Metrics. Provide the existing Sumo Logic Metrics Source API URL. The account field will be added to the Source. For information on how to determine the URL, see [View or Download Source JSON Configuration](/docs/send-data/use-json-configure-sources/local-configuration-file-management/view-download-source-json-configuration.md). |
-| Sumo Logic AWS Metrics Tag Filters | Provide JSON format of the namespaces with its tags values to add filters to your metrics. Use semicolons to separate multiple values for the same tag key. AWS Tag Filters will be added to the Source. See JSON format example: ```json {"AWS/ELB":{"tags":["env=prod;dev"]},"AWS/EC2":{"tags":["env=dev","creator=john"]},"AWS/RDS":{"tags":["env=prod;dev","creator=himan"]},"All":{"tags":["env=dev"]}}``` .
Filters are not supported for custom metrics. |
+| Prompt | Guideline |
+| :-- |:--|
+| Select the kind of CloudWatch Metrics Source to create | - **CloudWatch Metrics Source** - Creates Sumo Logic AWS CloudWatch Metrics Sources.
- **Kinesis Firehose Metrics Source (Recommended)** - Creates a Sumo Logic AWS Kinesis Firehose for Metrics Source.
**Note:** This new source has cost and performance benefits over the CloudWatch Metrics Source is therefore recommended. - **None** - Skips the Installation of both the Sumo Logic Sources
|
+| Sumo Logic AWS Metrics Namespaces | Enter a comma-delimited list of the namespaces which will be used for AWS CloudWatch Metrics.
The default will be AWS/ApplicationELB, AWS/ApiGateway, AWS/DynamoDB, AWS/Lambda, AWS/RDS, AWS/ECS, AWS/ElastiCache, AWS/ELB, AWS/NetworkELB, AWS/SQS, AWS/SNS, and AWS/EC2. You can provide both AWS as well as custom namespaces.
Supported namespaces are based on the type of CloudWatch Metrics Source you have selected above. See the relevant docs for the [Kinesis Firehose Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source.md) and the [CloudWatch Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics.md) for details on which namespaces they support. |
+| Existing Sumo Logic Metrics Source API URL | You must supply this URL if you are already collecting CloudWatch Metrics. Provide the existing Sumo Logic Metrics Source API URL. The account field will be added to the Source. For information on how to determine the URL, see [View or Download Source JSON Configuration](/docs/send-data/use-json-configure-sources/local-configuration-file-management/view-download-source-json-configuration.md). |
+| Sumo Logic AWS Metrics Tag Filters | Provide JSON format of the namespaces with its tags values to add filters to your metrics. Use semicolons to separate multiple values for the same tag key. AWS Tag Filters will be added to the Source. See JSON format example: ```json {"AWS/ELB":{"tags":["env=prod;dev"]},"AWS/EC2":{"tags":["env=dev","creator=john"]},"AWS/RDS":{"tags":["env=prod;dev","creator=himan"]},"All":{"tags":["env=dev"]}}``` .
Filters are not supported for custom metrics. |
## Step 6: Sumo Logic AWS ALB Log Source
@@ -107,6 +107,10 @@ The table below displays the response for each text box in this section.
| AWS S3 Bucket Name | If you selected "No" to creating a new source above, skip this step. Provide a name of an existing S3 bucket name where you would like to store ALB logs. If this is empty, a new bucket will be created in the region |
| Path Expression for the Existing ALB logs | This is required in case the above existing bucket is already configured to receive ALB access logs. If this is blank, Sumo Logic will store logs in the path expression: `elasticloadbalancing/AWSLogs/*` |
+ :::note
+ CloudTrail must be enabled for EventBridge to capture `CreateLoadBalancer` events, since these events are recorded and delivered through CloudTrail.
+ :::
+
## Step 7: Sumo Logic AWS CloudTrail Source
The table below displays the response for each text box in this section.
@@ -135,6 +139,7 @@ The table below displays the response for each text box in this section.
:::note
* Don't use forward slashes (`/`) to encapsulate the regex. While normally they are needed for raw code, it's not necessary here.
* Use regex `.*` for auto-subscribing all log groups.
+ * CloudTrail must be enabled for EventBridge to capture `CreateLogGroup` events, since these events are recorded and delivered through CloudTrail.
:::
## Step 9: Sumo Logic AWS ELB Classic Log Source
@@ -149,6 +154,10 @@ The table below displays the response for each text box in this section.
| AWS S3 Bucket Name | If you selected "No" to create a new source above, skip this step. Provide a name of an existing S3 bucket name where you would like to store ELB Classic logs. If this is empty, a new bucket will be created in the region. |
| Path Expression for the Existing ELB Classic logs | This is required in case the above existing bucket is already configured to receive ELB Classic access logs. If this is blank, Sumo Logic will store logs in the path expression: `classicloadbalancing/AWSLogs/*` |
+ :::note
+ CloudTrail must be enabled for EventBridge to capture `CreateLoadBalancer` events, since these events are recorded and delivered through CloudTrail.
+ :::
+
## Step 10: App Installation and Sharing
The table below displays the response for each text box in this section.
@@ -167,10 +176,10 @@ The table below displays the response for each text box in this section.
## Modify the source categories
-The AWS Observability CloudFormation template creates collector and sources with pre-configured names and source categories. The capability to update the source categories has been added from version v2.1.0 and above.
+The AWS Observability CloudFormation template creates collectors and sources with pre-configured names and source categories. The capability to update the source categories has been added from version v2.1.0 and above.
:::note
-Do not update the source names as created by CloudFormation template in Sumo Logic. Updating the source name will break the FERs and impact the AWS Observability dashboards.
+Do not update the source names as created by the CloudFormation template in Sumo Logic. Updating the source name will break the FERs and impact the AWS Observability dashboards.
:::
Follow the steps below to change the default source categories
@@ -191,7 +200,7 @@ To debug an AWS CloudFormation installation failure, do the following:
1. After the stack rollback is complete and the status is ROLLBACK_COMPLETE, go to the parent stack. In the parent stack, look for the first failure as shown in the following example. The failure can be a direct reason or can point to a nested stack.
})
1. Look for direct reasons for the failure that is available in the parent stack, as shown in the following example.
})
-1. To find indirect reasons for the failure, go to the nested stack mentioned in the status reason, as shown in the following example. Take a note of the resources mentioned in the reason.
})
+1. To find indirect reasons for the failure, go to the nested stack mentioned in the status reason, as shown in the following example. Take note of the resources mentioned in the reason.
1. Select the deleted option to find the nested stacks, as shown in the following example.
})
1. Go to the nested stack and look for the resource mentioned in the previous step to identify the reason, as shown in the following example.
})
@@ -223,9 +232,11 @@ Below are some common errors that can occur while using the CloudFormation templ
| Error | Description | Resolution |
|:--|:--|:--|
| The API rate limit for this user has been exceeded. | This error indicates that AWS CloudFormation execution has exceeded the API rate limit set on the Sumo Logic side. It can occur if you install the AWS CloudFormation template in multiple regions or accounts using the same Access Key and Access ID. | - Re-deploy the deployment stack without updating the stack in the template. Re-running will detect the drift and create remaining resources.
- If the throttling problem persists, try to break down the multi-region deployment into parts and use distinct access IDs and access keys for each part. |
-| S3 Bucket already exists. | The error can occur if:
- An S3 bucket with the same name exists in S3, or
- The S3 Bucket is not present in S3 but is referenced by some other AWS CloudFormation stack which created it. | - Remove the S3 bucket from S3 or select “No” in the AWS Cloudformation template for S3 bucket creation.
- Remove the AWS CloudFormation Stack which references the S3 bucket. |
+| S3 Bucket already exists. | The error can occur if:
- An S3 bucket with the same name exists in S3, or
- The S3 Bucket is not present in S3 but is referenced by some other AWS CloudFormation stack that created it. | - Remove the S3 bucket from S3 or select “No” in the AWS CloudFormation template for S3 bucket creation.
- Remove the AWS CloudFormation Stack which references the S3 bucket. |
| The S3 bucket you tried to delete is not empty. | The error can occur when deleting the stack with a non-empty S3 bucket. | Delete the S3 bucket manually if you do not need the bucket or its content in the future. |
-| Invalid IAM role OR AccessDenied | This error can occur when Sumo Logic access keys are disabled or do not have the required permissions. | - Refer to [Edit, activate/deactivate, rotate, or delete access keys](/docs/manage/security/access-keys/#edit-activatedeactivate-rotate-or-delete-access-keys) for access keys activation.
- Refer to [Role capabilities](/docs/observability/aws/deploy-use-aws-observability/before-you-deploy/#prerequisites) for permissions related issues. |
+| Invalid IAM role OR AccessDenied. | This error can occur when Sumo Logic access keys are disabled or do not have the required permissions. | - Refer to [Edit, activate/deactivate, rotate, or delete access keys](/docs/manage/security/access-keys/#edit-activatedeactivate-rotate-or-delete-access-keys) for access keys activation.
- Refer to [Role capabilities](/docs/observability/aws/deploy-use-aws-observability/before-you-deploy/#prerequisites) for permissions related issues. |
+| Subscription filters are not applied to newly created log groups. | This error can occur when CloudTrail is not enabled for EventBridge to capture `CreateLogGroup` events. | CloudTrail must be enabled for EventBridge to capture `CreateLogGroup` events, since these events are recorded and delivered through CloudTrail. |
+| Access logs are not enabled for the Load Balancer. | This error can occur when CloudTrail is not enabled for EventBridge to capture `CreateLoadBalancer` events. | CloudTrail must be enabled for EventBridge to capture `CreateLoadBalancer` events, since these events are recorded and delivered through CloudTrail. |
### Rolling back the AWS Observability Solution
@@ -244,10 +255,10 @@ To uninstall the AWS Observability Solution:
### Remove the account from AWS Observability hierarchy
-AWS Observability hierarchy is auto-populated based on the metrics ingested into Sumo Logic with an account tag on the metric source. To remove any AWS account from the AWS Observability hierarchy, you need to remove the data sources ingesting metrics data or remove the account tag from the same metric source. After this, the account will be removed automatically in the next 24 hours. Follow the below the steps to remove the account from the AWS Observability hierarchy:
+AWS Observability hierarchy is auto-populated based on the metrics ingested into Sumo Logic with an account tag on the metric source. To remove any AWS account from the AWS Observability hierarchy, you need to remove the data sources ingesting metrics data or remove the account tag from the same metric source. After this, the account will be removed automatically in the next 24 hours. Follow the steps below to remove the account from the AWS Observability hierarchy:
1. Identify the account that you want to remove from the AWS Observability hierarchy. For example, let's assume you want to remove `mobilebankingprod` from the hierarchy.
})
-1. Run the required metric query to identify from which source and collector data is getting ingested. For this example, enter the below metric query:
+1. Run the required metric query to identify from which source and collector data is being ingested. For this example, enter the metric query below:
```sql
account= mobilebankingprod | count by _collector , _source
```
diff --git a/docs/observability/aws/deploy-use-aws-observability/deploy-with-terraform.md b/docs/observability/aws/deploy-use-aws-observability/deploy-with-terraform.md
index f0809a2894..617d041953 100644
--- a/docs/observability/aws/deploy-use-aws-observability/deploy-with-terraform.md
+++ b/docs/observability/aws/deploy-use-aws-observability/deploy-with-terraform.md
@@ -849,7 +849,7 @@ elb_source_details = {
#### auto_enable_access_logs
-Enable Application Load Balancer (ALB) Access logging.
+Enable Application Load Balancer (ALB) Access logging.
You have the following options:
@@ -872,6 +872,10 @@ Example JSON for newly created ALB resources only.
auto_enable_access_logs = "New"
```
+ :::note
+ CloudTrail must be enabled for EventBridge to capture `CreateLoadBalancer` events, since these events are recorded and delivered through CloudTrail.
+ :::
+
#### elb_log_source_url
Required if you are already collecting ALB logs. Provide the existing Sumo Logic ALB Source API URL. The account, accountid, region and namespace fields will be added to the Source. For information on how to determine the URL, see [View or Download Source JSON Configuration](/docs/send-data/use-json-configure-sources/local-configuration-file-management/view-download-source-json-configuration).
@@ -1000,6 +1004,11 @@ Example JSON for newly created ALB resources only.
auto_enable_classic_lb_access_logs = "New"
```
+ :::note
+ CloudTrail must be enabled for EventBridge to capture `CreateLoadBalancer` events, since these events are recorded and delivered through CloudTrail.
+ :::
+
+
#### classic_lb_log_source_url
Required if you are already collecting Classic LB logs. Provide the existing Sumo Logic Classic LB Source API URL. The account, accountid, region and namespace fields will be added to the Source. For information on how to determine the URL, see [View or Download Source JSON Configuration](/docs/send-data/use-json-configure-sources/local-configuration-file-management/view-download-source-json-configuration).
@@ -1256,6 +1265,10 @@ Subscribe log groups to Sumo Logic Lambda Forwarder. You have the following opti
auto_enable_logs_subscription="New"
```
+ :::note
+ CloudTrail must be enabled for EventBridge to capture `CreateLogGroup` events, since these events are recorded and delivered through CloudTrail.
+ :::
+
### auto_enable_logs_subscription_options
* `filter`. Enter regex for matching logGroups for AWS Lambda only. The regex will check the name. See [Configuring Parameters](/docs/send-data/collect-from-other-data-sources/autosubscribe-arn-destination/#configuringparameters).
@@ -1467,8 +1480,8 @@ module "sumo-module" {
The following table provides a list of all source parameters and their default values. See the [sumologic-solution-templates/aws-observability-terraform/app-module/main.auto.tfvars](http://sumologic-solution-templates/aws-observability-terraform/app-module/main.auto.tfvars) file for complete code.
-| Parameter | Description | Default |
-|:--|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--|
+| Parameter | Description | Default |
+|:--|:--|:--|
| `access_id` | Sumo Logic Access ID. See [Access Keys](/docs/manage/security/access-keys) for information. Ignore this setting if you entered it in Source Parameters. | Ignore if already configured in **main.auto.tfvars** file. |
| `access_key` | Sumo Logic Access Key. See [Access Keys](/docs/manage/security/access-keys) for information. Ignore this setting if you entered it in Source Parameters. | Ignore if already configured in main.auto.tfvars file.
| `environment` | Enter au, ca, de, eu, jp, us2, fed, kr, or us1. See Sumo Logic Endpoints and Firewall Security for information. Ignore this setting if you entered it in Source Parameters. | Ignore if already configured in main.auto.tfvars file. |
@@ -1582,6 +1595,23 @@ Invalid IAM role OR AccessDenied
- Refer to [Edit, activate/deactivate, rotate, or delete access keys](/docs/manage/security/access-keys/#edit-activatedeactivate-rotate-or-delete-access-keys) for access keys activation.
- Refer to [Role capabilities](/docs/observability/aws/deploy-use-aws-observability/before-you-deploy/#prerequisites) for permissions related issues.
+
+### Subscription filters are not applied to newly created log groups
+### Message
+```
+This error can occur when cloudtrail is not enabled for EventBridge to capture `CreateLogGroup` events
+```
+#### Solution
+CloudTrail must be enabled for EventBridge to capture `CreateLogGroup` events, since these events are recorded and delivered through CloudTrail.
+
+### Access logs are not enabled for the Load Balancer
+### Message
+```
+This error can occur when cloudtrail is not enabled for EventBridge to capture `CreateLoadBalancer` events
+```
+#### Solution
+CloudTrail must be enabled for EventBridge to capture `CreateLoadBalancer` events, since these events are recorded and delivered through CloudTrail.
+
### Argument named *managed_apps* is not expected
#### Error Message
diff --git a/docs/observability/aws/other-configurations-tools/integrate-control-tower-accounts.md b/docs/observability/aws/other-configurations-tools/integrate-control-tower-accounts.md
index 8a881146a4..1c8fb9eb26 100644
--- a/docs/observability/aws/other-configurations-tools/integrate-control-tower-accounts.md
+++ b/docs/observability/aws/other-configurations-tools/integrate-control-tower-accounts.md
@@ -33,6 +33,10 @@ We recommend you familiarize yourself with the AWS Observability Solution. For m
* [Deploy and Use AWS Observability](/docs/observability/aws/deploy-use-aws-observability)
* [View the AWS Observability Dashboards](../deploy-use-aws-observability/view-dashboards.md)
+ :::note
+ CloudTrail must be enabled for EventBridge to capture `CreateManagedAccount`, `UpdateManagedAccount` events, since these events are recorded and delivered through CloudTrail.
+ :::
+
## Integrate AWS Control Tower-managed accounts with the AWS Observability solution
Integrating with AWS Control Tower is a two-step process: