Problem:
Error log messages keep repeating in /var/log/awslogs.log. No log data is being uploaded to the CloudWatch Logs console.
Symptoms:
2020-02-12 19:50:13,366 - cwlogs.push.watcher - ERROR - 9908 - Thread-1 - Failed to refresh stream:{'datetime_format': '%b %d %H:%M:%S', 'log_group_name': '/var/log/messages', 'log_stream_name': u'i-077bd736b24f5ce9c', 'encoding': 'utf_8', 'time_zone': 'LOCAL', 'queue': 0, 'source_id': None, 'init_pos': 'start_of_file', 'file': '/var/log/messages', 'buffer_duration': 5000}, reason: ValueError('error:060800A3:digital envelope routines:EVP_DigestInit_ex: disabled for fips',).
Cause:
There is an issue in the AWS CloudWatch Logs (legacy) agent where it is unable to operate on systems that have FIPS hardening applied, which is required by STIG policy.
Solution:
A library call in one of the AWS Logs Python source files needs to be changed in order to inform the MD5 API that it is not being used for pure security, but is instead being used for basic file hash verification. Once this change is applied, the FIPS check will no longer cause the program to error out.
$ sudo cp /var/awslogs/lib/python2.7/site-packages/cwlogs/push.py \ /var/awslogs/lib/python2.7/site-packages/cwlogs/push.py~
$ sudo sed -i \ 's/hashlib.md5(source_id_val/hashlib.md5(source_id_val,usedforsecurity=False,/g' \ /var/awslogs/lib/python2.7/site-packages/cwlogs/push.py
$ sudo service awslogs restart