ECS mode
ECS mode deploys EDOT Cloud Forwarder for AWS with a dedicated CloudFormation template that writes logs into ECS-compatible data streams, compatible with the ingest pipelines and dashboards provided by the Elastic AWS integration.
Use ECS mode if you use the Elastic AWS integration and want to use its assets to visualize your AWS data.
In addition to the standard S3 prerequisites, ECS mode requires:
- The Elastic AWS integration installed in your Kibana deployment. The integration provides the ingest pipelines and index templates that process the ECS-formatted logs.
ECS mode supports the following log types from S3. CloudWatch is not supported.
| AWS log type | EdotCloudForwarderS3LogsType value |
|---|---|
| VPC Flow Logs | vpcflow |
| ELB Access Logs | elbaccess |
| CloudTrail Logs | cloudtrail |
| WAF Logs | waf |
| GuardDuty findings | guardduty |
Deploy EDOT Cloud Forwarder for AWS in ECS mode with one click:
After clicking the button:
Configure the required parameters:
Parameter Description Stack nameName of the CloudFormation stack, for example vpc-edot-cf-ecs.OTLPEndpointThe OTLP endpoint URL from Elastic Cloud Serverless or Elastic Cloud Hosted. ElasticApiKeyAPI key for authentication with Elastic. SourceS3BucketARNARN of the S3 bucket where your logs are stored. EdotCloudForwarderS3LogsTypeThe log type. See Supported log types. Select Next and check Acknowledge IAM capabilities.
Review your configuration and select Submit to deploy the stack.
Monitor the progress until the stack reaches the
CREATE_COMPLETEstate.
To deploy from the AWS Serverless Application Repository, follow the Deploy from SAR instructions and search for the cloud-forwarder-s3-logs-ecs application.
ECS mode uses the same S3 configuration parameters as the standard deployment. Refer to Configure EDOT Cloud Forwarder for AWS for details on required settings, optional Lambda parameters, and sizing guidance.
ECS mode adds the following parameters:
| Setting | Description |
|---|---|
DataStreamNamespace |
The namespace component of the data stream name, for example logs-aws.vpcflow-<namespace>. Use different namespaces to separate data from different environments or teams. Default is default. |
PreserveOriginalEvent |
When set to true, preserves a raw copy of the original event in the event.original field. Useful for reindexing or debugging, but increases storage usage. Default is false. |
GuardDutyKMSKeyARN |
For GuardDuty findings exported with a customer-managed KMS key, provide the ARN of the key so the Lambda can decrypt the objects. Leave empty if not using GuardDuty or using the default AWS-managed key. |
Logs collected in ECS mode are written to ECS-compatible data streams in the format logs-aws.<type>-<namespace>:
| AWS log type | Data stream |
|---|---|
| VPC Flow Logs | logs-aws.vpcflow-default |
| ELB Access Logs | logs-aws.elb.access-default |
| CloudTrail Logs | logs-aws.cloudtrail-default |
| WAF Logs | logs-aws.waf-default |
| GuardDuty findings | logs-aws.guardduty-default |
The namespace component matches the DataStreamNamespace parameter value.
- Configure the template: Learn about all S3 configuration options, sizing recommendations, and deployment methods.
- Troubleshooting: Diagnose and resolve issues with log forwarding.