Cannot install AWS CloudWatch Logs Agent

Problem:

When you install the (legacy) AWS CloudWatch Logs agent using the Amazon documentation, the Agent installation crashes with an error.


Symptoms:

Step 2 of 5: Downloading the latest CloudWatch Logs agent bits ... Traceback (most recent call last):
  File "./awslogs-agent-setup.py", line 1352, in <module>
    main()
  File "./awslogs-agent-setup.py", line 1348, in main
    setup.setup_artifacts()
  File "./awslogs-agent-setup.py", line 892, in setup_artifacts
    self.install_awslogs_cli()
  File "./awslogs-agent-setup.py", line 541, in install_awslogs_cli
    self.setup_virtualenv()
  File "./awslogs-agent-setup.py", line 751, in setup_virtualenv
    raise BadRCError("Bad rc (%s) for cmd '%s': %s" % (p.returncode, "cmd", stdout + stderr))
__main__.BadRCError: Bad rc (100) for cmd 'cmd': Already using interpreter /bin/python
New python executable in /var/awslogs/bin/python
ERROR: The executable /var/awslogs/bin/python could not be run: [Errno 13] Permission denied


Cause:

STIG mandates that the /var filesystem not allow executables (noexec), but the AWS log agent installs by default to /var/awslogs.  Therefore, the agent is unable to run any of its programs.


Solution:

The best way to fix this is to modify the AWS Logs installation script and have it install the agent to /usr/awslogs instead.  We recommend creating a symbolic link to /var/awslogs in the event that anyone that expects it to be there goes looking for it.

$ sed -i '[email protected]/var/[email protected]/usr/[email protected]' awslogs-agent-setup.py
$ sudo ln -s /usr/awslogs /var/awslogs
$ sudo python ./awslogs-agent-setup.py --region XXXXX
Launching interactive setup of CloudWatch Logs agent ... downloading AgentDependencies.tar.gz with urllib ......
Step 1 of 5: Installing pip ...DONE
Step 2 of 5: Downloading the latest CloudWatch Logs agent bits ... DONE
Step 3 of 5: Configuring AWS CLI ... 
AWS Access Key ID [None]: 
AWS Secret Access Key [None]: 
Default region name [us-east-1]: 
Default output format [None]: 
Step 4 of 5: Configuring the CloudWatch Logs Agent ... 
Path of log file to upload [/var/log/messages]: 
Destination Log Group name [/var/log/messages]: 
Choose Log Stream name:
  1. Use EC2 instance id.
  2. Use hostname.
  3. Custom.
Enter choice [1]: 
Choose Log Event timestamp format:
  1. %b %d %H:%M:%S    (Dec 31 23:59:59)
  2. %d/%b/%Y:%H:%M:%S (10/Oct/2000:13:55:36)
  3. %Y-%m-%d %H:%M:%S (2008-09-08 11:52:54)
  4. Custom
Enter choice [1]: 
Choose initial position of upload:
  1. From start of file.
  2. From end of file.
Enter choice [1]: 
More log files to configure? [Y]: n
Step 5 of 5: Setting up agent as a daemon ...DONE

------------------------------------------------------
- Configuration file successfully saved at: /usr/awslogs/etc/awslogs.conf
- You can begin accessing new log events after a few moments at https://console.aws.amazon.com/cloudwatch/home?region=us-east-1#logs:
- You can use 'sudo service awslogs start|stop|status|restart' to control the daemon.
- To see diagnostic information for the CloudWatch Logs Agent, see /var/log/awslogs.log
- You can rerun interactive setup using 'sudo python ./awslogs-agent-setup.py --region us-east-1 --only-generate-config'
------------------------------------------------------

Related:

Cela vous a-t-il aidé à résoudre votre problème ?