Installation Validation

Although the installation process is pretty automated, you may find things which are not working as you expected. In this section, you will see where to find some common pitfalls.

CloudFormation create-stack is complete

Ensure CloudFormation stack is in a CREATE_COMPLETE state. That means was created without errors and all resources are also created. You must see the CREATE_COMPLETE state in green.

Create complete

AWS user has not enough permissions

The AWS user that you use to deploy the CloudFormation template needs to have at least the permissions listed in this file to be able to deploy the required assets:
Configuration file for the full list of permissions required.

SNS topic has a subscription to Load Balancer

CloudTrail notifies about new events to CloudConnector using SNS, so you must ensure that CloudConnector confirmed the SNS subscription. You must see the Confirmed message in green.

SNS topic subscription Confirmed

If the confirmation hasn’t happened, then you can send a new confirmation message from the AWS UI and wait until the CloudConnector confirms the subscription.

Ensure that endpoint is reachable and ends with /cloudtrail suffix. It is at that URL where the new CloudTrail events are notified.

Analyzing logs: What do they mean?

Reading logs works fine in order to troubleshoot unexpected behaviors and that’s one of the reasons they were included in the CloudFormation template out of the box.

CloudWatch Logs

You should check the startup logs, and look for the cloud-connector is listening to HTTP requests message. This indicates that startup worked fine.

Periodically the LoadBalancer checks the health of the service so you should expect several messages with a GET /health endpoint.

To ensure CloudConnector is receiving events from CloudTrail, you should look for messages to POST /cloudtrail. If a message gets accepted it returns a 202 status code.

Prometheus metrics

Sysdig CloudConnector exposes Prometheus metrics under the /metrics endpoint. Additionally to internal metrics from Golang, there are other metrics which can help to find issues.

# HELP sysdig_cloud_connector_alerts_total This is the amount of alerts created by Cloud Connector
# TYPE sysdig_cloud_connector_alerts_total counter
sysdig_cloud_connector_alerts_total{aws_account_id="XXX",aws_region="us-east-1",priority="CRITICAL",rule="Delete bucket encryption",source="cloudtrail"} 1
sysdig_cloud_connector_alerts_total{aws_account_id="XXX",aws_region="us-east-1",priority="WARNING",rule="Allocate a New Elastic IP Address to AWS Account",source="cloudtrail"} 2
sysdig_cloud_connector_alerts_total{aws_account_id="XXX",aws_region="us-east-1",priority="WARNING",rule="Create an HTTP Target Group without SSL",source="cloudtrail"} 1
sysdig_cloud_connector_alerts_total{aws_account_id="XXX",aws_region="us-east-1",priority="WARNING",rule="Create an Internet-facing AWS Public Facing Load Balancer",source="cloudtrail"} 1
# HELP sysdig_cloud_connector_events_processed_total This is the amount of events that Cloud Connector processed
# TYPE sysdig_cloud_connector_events_processed_total counter
sysdig_cloud_connector_events_processed_total 41038
# HELP sysdig_cloud_connector_events_received_total This is the amount of events received by the Cloud Connector
# TYPE sysdig_cloud_connector_events_received_total counter
sysdig_cloud_connector_events_received_total{ingestor="cloudtrail-sns"} 41038
# HELP sysdig_cloud_connector_http_ingestor_handler_requests_total This is the amount of HTTP requests received by the Cloud Connector
# TYPE sysdig_cloud_connector_http_ingestor_handler_requests_total counter
sysdig_cloud_connector_http_ingestor_handler_requests_total{code="202",ingestor="cloudtrail-sns"} 1757
sysdig_cloud_connector_http_ingestor_handler_requests_total{code="400",ingestor="cloudtrail-sns"} 1
sysdig_cloud_connector_http_ingestor_handler_requests_total{code="405",ingestor="cloudtrail-sns"} 1
# HELP sysdig_cloud_connector_notifications_sent_total This is the amount of notications sent by the Cloud Connector
# TYPE sysdig_cloud_connector_notifications_sent_total counter
sysdig_cloud_connector_notifications_sent_total 20

