Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
mshubham
Staff
Staff

Created on ‎09-18-2025 07:47 AM

Article Id 410044

Technical Tip: Configuring AWS CloudWatch Agent for EC2 Log Ingestion into FortiSIEM from the AWS side

Description This article describes step-by-step instructions on how to configure the AWS CloudWatch Agent on an EC2 instance to send logs to CloudWatch, which FortiSIEM can then pull via the AWS CloudWatch method.
Scope FortiSIEM.
Solution

Pre-requisites:

  • An EC2 instance is already created.
  • An IAM role with required permissions is attached to the EC2 instance.
  • The role must have access to write logs to CloudWatch.
  1. Install the CloudWatch Agent:

Log into the EC2 instance and run the following:

 

sudo yum install amazon-cloudwatch-agent

 

  1. Configure the Agent:

Launch the configuration wizard:

 

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

Below are all non-default options that can be selected as required:


| **Prompt** | **Recommended Option** | **Reason** |
| ------------------- | -------------------------------- | ------------------------------------------------------- |
| StatsD daemon | No | Used for custom app metrics (not required) |
| CollectD | No | Only needed if using CollectD metrics |
| Host Metrics | No (or Yes) | Choose “Yes” to monitor CPU, memory, etc. |
| Log file path | Yes → `/var/log/audit/audit.log` | Example log file path |
| Log group name | Yes → `/fortisiem/audit` | Must match what FortiSIEM pulls |
| Log stream name | Optional → `FortiSIEM-test-logs` | Static or dynamic naming is fine |
| Store config in SSM | Optional | Choose based on your infrastructure standards |
| Enable X-Ray | No | Only for Lambda/App tracing (not required for EC2 logs) |

 

Using the last option will create a JSON file like the following:

 

{
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/audit/audit.log",
"log_group_name": "/fortisiem/audit",
"log_stream_name": "FortiSIEM-test-logs"
},
{
"file_path": "/var/log/dnf.log",
"log_group_name": "/fortisiem/dns",
"log_stream_name": "FortiSIEM-test-dns"
},
{
"file_path": "/var/log/wtmp",
"log_group_name": "/fortisiem/wtmp",
"log_stream_name": "FortiSIEM-test-wtmp"
}
]
}
}
}
}

  1. Start the Agent with Config:

If configuration was saved as a file (e.g. file_config.json), use:

 

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \ -a fetch-config -m ec2 \ -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/file_config.json -s

 

  1. Validate Agent Status:

Check that the agent is running:

 

sudo systemctl status amazon-cloudwatch-agent

 

Check logs:

 

sudo tail -f /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log

 

  1. Permission Checks:

 

Ensure log files are accessible by the cwagent user:

 

sudo -u cwagent tail /var/log/audit/audit.log


If permission denied:

Modify the file or directory permission (chmod) or ACLs.

Ensure logs are not restricted to root-only access.

 

  1. FortiSIEM Verification:

Make sure that the instance has been attached with the IAM role with attached policy which requires for the instances to fetch the data from cloudwatch stream logs if that doesn't have it don't have the right to call other aws services.

 

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status
{
"status": "running",
"starttime": "2025-09-03T15:39:46+00:00",
"configstatus": "configured",
"version": "1.300057.2"
}


If configured correctly and IAM role is in place, should see entries like below in /opt/phoenix/log/phoenix.log :

fsm740 phAgentManager[1165131]: [PH_AGENTMGR_UPDATE_AGENT]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=phAwsFlowLogAgent.cpp,[lineNumber]=112,[phLogDetail]=Update phAwsFlowLogAgent agent for Account: 1234, LogGroupName: /fortisiem/audit, LogStreamName: FortiSIEM-test-logs

fsm740 phAgentManager[1165131]: [PH_JOB_STAT]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,[fileName]=phJobExecuteStatus.cpp,[lineNumber]=235,[jobId]=4567404,[jobType]=2,[jobDetail]=Success,[hostIpAddr]=52.239.28.85,[hostName]=amazon.com,[jobName]=AWS_CLOUDWATCH,[jobDesc]=AWS Flow log Pull,[jobStatus]=0,[pollIntv]=300,[eventTime]=1756726952,[phLogDetail]=

See the screenshot below for AWS-Ec2-Integration:

 

Access CredentiolsAccess Credentiols

 

Pull eventsPull events

 

CMDB-DeviceCMDB-Device

 

  1. IAM Role & Policy Reminder:

Ensure that the EC2 instance has an attached IAM role with the minimum required permissions as per FortiSIEM DOC.

Without these, CloudWatch Agent will not be able to send logs or FortiSIEM will not be able to pull them.
139
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.