# Logging and monitoring Amazon MQ brokers
Monitoring is an important part of maintaining the reliability, availability, and performance of your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for monitoring your Amazon MQ resources and responding to potential incidents:
You can use CloudWatch to view and analyze metrics for your Amazon MQ broker. You can view and analyze your broker metrics from the CloudWatch console, the AWS CLI, or the CloudWatch AWS CLI. CloudWatch metrics for Amazon MQ are automatically polled from the broker and then pushed to CloudWatch every minute. For ActiveMQ brokers, CloudWatch monitors only the first 1000 destinations.. For RabbitMQ brokers, CloudWatch monitors only the first 500 destinations, ordered by number of consumers..
For a full list of Amazon MQ metrics, see [Available CloudWatch metrics Amazon MQ for ActiveMQ brokers](activemq-logging-monitoring.md).
For information about creating a CloudWatch alarm for a metrics, see [Create or Edit a CloudWatch Alarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ConsoleAlarms.html) in the *Amazon CloudWatch User Guide*.
# Accessing CloudWatch metrics for Amazon MQ
You can access CloudWatch metrics using the AWS Management Console, AWS CLI, and API.
You may want to access CloudWatch metrics without using the AWS Management Console.
To access Amazon MQ metrics using the AWS CLI, use the `[get-metric-statistics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/get-metric-statistics.html)` command. For more information, see [Get Statistics for a Metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/getting-metric-statistics.html) in the *Amazon CloudWatch User Guide*.
To access Amazon MQ metrics using the CloudWatch API, use the `[GetMetricStatistics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricStatistics.html)` action. For more information, see [Get Statistics for a Metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/getting-metric-statistics.html) in the *Amazon CloudWatch User Guide*.
## Accesing CloudWatch metrics using the AWS Management Console
The following example shows you how to access CloudWatch metrics for Amazon MQ using the AWS Management Console.If you're already signed into the Amazon MQ console, on the broker **Details** page, choose **Actions**, **View CloudWatch metrics**.
1. Sign in to the [CloudWatch console](https://console.aws.amazon.com/cloudwatch/).
1. On the navigation panel, choose **Metrics**.
1. Select the **AmazonMQ** metric namespace.
1. Select one of the following metric dimensions:
+ **Broker Metrics**
+ **Queue Metrics by Broker**
+ **Topic Metrics by Broker**
In this example, **Broker Metrics** is selected.
1. You can now examine your Amazon MQ metrics:
+ To sort the metrics, use the column heading.
+ To graph the metric, select the check box next to the metric.
+ To filter by metric, choose the metric name and then choose **Add to search**.
# Available CloudWatch metrics Amazon MQ for ActiveMQ brokers
## Amazon MQ for ActiveMQ metrics
| Metric | Unit | Description |
| --- | --- | --- |
| AmqpMaximumConnections | Count | The maximum number of clients you can connect to your broker using AMQP. For more information on connection quotas, see [Quotas in Amazon MQ](amazon-mq-limits.md). |
| BurstBalance | Percent | The percentage of burst credits remaining on the Amazon EBS volume used to persist message data for throughput-optimized brokers. If this balance reaches zero, the IOPS provided by the Amazon EBS volume will decrease until the Burst Balance refills. For more information on how Burst Balances work in Amazon EBS, see: [I/O Credits and Burst Performance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html#IOcredit). |
| CpuCreditBalance | Credits (vCPU-minutes) | This metric is available only for the `mq.t2.micro` broker instance type. CPU credit metrics are available only at five-minute intervals. The number of earned CPU credits that an instance has accrued since it was launched or started (including the number of launch credits). The credit balance is available for the broker instance to spend on bursts beyond the baseline CPU utilization. Credits are accrued in the credit balance after they're earned and removed from the credit balance after they're spent. The credit balance has a maximum limit. Once the limit is reached, any newly earned credits are discarded. |
| CpuUtilization | Percent | The percentage of allocated Amazon EC2 compute units that the broker currently uses. |
| CurrentConnectionsCount | Count | The current number of active connections on the current broker. |
| EstablishedConnectionsCount | Count | The total number of connections, active and inactive, that have been established on the broker. |
| HeapUsage | Percent | The percentage of the ActiveMQ JVM memory limit that the broker currently uses. |
| InactiveDurableTopicSubscribersCount | Count | The number of inactive durable topic subscribers, up to a maximum of 2000. |
| JobSchedulerStorePercentUsage | Percent | The percentage of disk space used by the job scheduler store. |
| JournalFilesForFastRecovery | Count | The number of journal files that will be replayed after a clean shutdown. |
| JournalFilesForFullRecovery | Count | The number of journal files that will be replayed after an unclean shutdown. |
| MqttMaximumConnections | Count | The maximum number of clients you can connect to your broker using MQTT. For more information on connection quotas, see [Quotas in Amazon MQ](amazon-mq-limits.md). |
| NetworkConnectorConnectionCount | Count | The number of nodes connected to the broker in a [network of brokers](network-of-brokers.md) using NetworkConnector. |
| NetworkIn | Bytes | The volume of incoming traffic for the broker. |
| NetworkOut | Bytes | The volume of outgoing traffic for the broker. |
| OpenTransactionCount | Count | The total number of transactions in progress. |
| OpenwireMaximumConnections | Count | The maximum number of clients you can connect to your broker using OpenWire. For more information on connection quotas, see [Quotas in Amazon MQ](amazon-mq-limits.md). |
| StompMaximumConnections | Count | The maximum number of clients you can connect to your broker using STOMP. For more information on connection quotas, see [Quotas in Amazon MQ](amazon-mq-limits.md). |
| StorePercentUsage | Percent | The percent used by the storage limit. If this reaches 100, the broker will refuse messages. |
| TempPercentUsage | Percent | The percentage of available temporary storage used by non-persistent messages. |
| TotalConsumerCount | Count | The number of message consumers subscribed to destinations on the current broker. |
| TotalMessageCount | Count | The number of messages stored on the broker. |
| TotalProducerCount | Count | The number of message producers active on destinations on the current broker. |
| VolumeReadOps | Count | The number of read operations performed on the Amazon EBS volume. |
| VolumeWriteOps | Count | The number of write operations performed on the Amazon EBS volume. |
| WsMaximumConnections | Count | The maximum number of clients you can connect to your broker using WebSocket. For more information on connection quotas, see [Quotas in Amazon MQ](amazon-mq-limits.md). |
### Dimensions for ActiveMQ broker metrics
| Dimension | Description |
| --- | --- |
| Broker | The name of the broker A single-instance broker has the suffix -1. An active/standby broker for high availability has the suffixes -1 and -2 for its redundant pair. |
## ActiveMQ destination (queue and topic) metrics
**Important**
The following metrics include per-minute counts for the CloudWatch polling period.
`EnqueueCount`
`ExpiredCount`
`DequeueCount`
`DispatchCount`
`InFlightCount`
For example, in a five-minute [CloudWatch period](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#CloudWatchPeriods), `EnqueueCount` has five count values, each for a one-minute portion of the period. The `Minimum` and `Maximum` statistics provide the lowest and highest per-minute value during the specified period.
| Metric | Unit | Description |
| --- | --- | --- |
| ConsumerCount | Count | The number of consumers subscribed to the destination. |
| EnqueueCount | Count | The number of messages sent to the destination, per minute. |
| EnqueueTime | Time (milliseconds) | The end-to-end latency from when a message arrives at a broker until it is delivered to a consumer. `EnqueueTime` does not measure the end-to-end latency from when a message is sent by a producer until it reaches the broker, nor the latency from when a message is received by a broker until it is acknowledged by the broker. Rather, `EnqueueTime` is the number of milliseconds from the moment a message is received by the broker until it is successfully delivered to a consumer. |
| ExpiredCount | Count | The number of messages that couldn't be delivered because they expired, per minute. |
| DispatchCount | Count | The number of messages sent to consumers, per minute. |
| DequeueCount | Count | The number of messages acknowledged by consumers, per minute. |
| InFlightCount | Count | The number of messages sent to consumers that have not been acknowledged. |
| ReceiveCount | Count | The number of messages that have been received from the remote broker for a duplex network connector. |
| MemoryUsage | Percent | The percentage of the memory limit that the destination currently uses. |
| ProducerCount | Count | The number of producers for the destination. |
| QueueSize | Count | The number of messages in the queue. This metric applies only to queues. |
| TotalEnqueueCount | Count | The total number of messages that have been sent to the broker. |
| TotalDequeueCount | Count | The total number of messages that have been consumed by clients. |
**Note**
`TotalEnqueueCount` and `TotalDequeueCount` metrics include messages for advisory topics. For more information about advisory topic messages, see the [ActiveMQ documentation](https://activemq.apache.org/advisory-message.html).
### Dimensions for ActiveMQ destination (queue and topic) metrics
| Dimension | Description |
| --- | --- |
| Broker | The name of the broker. A single-instance broker has the suffix `-1`. An active/standby broker for high availability has the suffixes `-1` and `-2` for its redundant pair. |
| Topic or Queue | The name of the topic or queue. |
| NetworkConnector | The name of the network connector. |
# Available CloudWatch metrics for Amazon MQ for RabbitMQ brokers
## RabbitMQ broker metrics
| Metric | Unit | Description |
| --- | --- | --- |
| ExchangeCount | Count | The total number of exchanges configured on the broker. |
| QueueCount | Count | The total number of queues configured on the broker. |
| ConnectionCount | Count | The total number of connections established on the broker. |
| ChannelCount | Count | The total number of channels established on the broker. |
| ConsumerCount | Count | The total number of consumers connected to the broker. |
| MessageCount | Count | The total number of messages in the queues. The number produced is the total sum of ready and unacknowledged messages on the broker. |
| MessageReadyCount | Count | The total number of ready messages in the queues. |
| MessageUnacknowledgedCount | Count | The total number of unacknowledged messages in the queues. |
| PublishRate | Count | The rate at which messages are published to the broker. The number produced represents the number of messages per second at the time of sampling. |
| ConfirmRate | Count | The rate at which the RabbitMQ server is confirming published messages. You can compare this metric with PublishRate to better understand how your broker is performing. The number produced represents the number of messages per second at the time of sampling. |
| AckRate | Count | The rate at which messages are being acknowledged by consumers. The number produced represents the number of messages per second at the time of sampling. |
| SystemCpuUtilization | Percent | The percentage of allocated Amazon EC2 compute units that the broker currently uses. For cluster deployments, this value represents the aggregate of all three RabbitMQ nodes' corresponding metric values. |
| RabbitMQMemLimit | Bytes | The RAM limit for a RabbitMQ broker. For cluster deployments, this value represents the aggregate of all three RabbitMQ nodes' corresponding metric values. |
| RabbitMQMemUsed | Bytes | The volume of RAM used by a RabbitMQ broker. For cluster deployments, this value represents the aggregate of all three RabbitMQ nodes' corresponding metric values. |
| RabbitMQDiskFreeLimit | Bytes | The disk limit for a RabbitMQ broker. For cluster deployments, this value represents the aggregate of all three RabbitMQ nodes' corresponding metric values. This metric is different per instance size. |
| RabbitMQDiskFree | Bytes | The total volume of free disk space available in a RabbitMQ broker. When disk usage goes above its limit, the cluster will block all producer connections. For cluster deployments, this value represents the aggregate of all three RabbitMQ nodes' corresponding metric values. |
| RabbitMQFdUsed | Count | Number of file descriptors used. For cluster deployments, this value represents the aggregate of all three RabbitMQ nodes' corresponding metric values. |
| RabbitMQIOReadAverageTime | Count | The average time (in milliseconds) for RabbitMQ to perform one read operation. The value is proportional to the message size. |
| RabbitMQIOWriteAverageTime | Count | The average time (in milliseconds) for RabbitMQ to perform one write operation. The value is proportional to the message size. |
## Dimensions for RabbitMQ broker metrics
| Dimension | Description |
| --- | --- |
| Broker | The name of the broker. |
## RabbitMQ node metrics
| Metric | Unit | Description |
| --- | --- | --- |
| SystemCpuUtilization | Percent | The percentage of allocated Amazon EC2 compute units that the broker currently uses. |
| RabbitMQMemLimit | Bytes | The RAM limit for a RabbitMQ node. |
| RabbitMQMemUsed | Bytes | The volume of RAM used by a RabbitMQ node. When memory use goes above the limit, the cluster will block all producer connections. |
| RabbitMQDiskFreeLimit | Bytes | The disk limit for a RabbitMQ node. This metric is different per instance size. |
| RabbitMQDiskFree | Bytes | The total volume of free disk space available in a RabbitMQ node. When disk usage goes above its limit, the cluster will block all producer connections. |
| RabbitMQFdUsed | Count | Number of file descriptors used. |
## Dimensions for RabbitMQ node metrics
| Dimension | Description |
| --- | --- |
| Node | The name of the node. A node name consists of two parts: a prefix (usuallly `rabbit`) and a hostname. For example, `rabbit@ip-10-0-0-230.us-west-2.compute.internal` is a node name with the prefix `rabbit` and the hostname `ip-10-0-0-230.us-west-2.compute.internal`. |
| Broker | The name of the broker. |
## RabbitMQ queue metrics
| Metric | Unit | Description |
| --- | --- | --- |
| ConsumerCount | Count | The number of consumers subscribed to the queue. |
| MessageReadyCount | Count | The number of messages that are currently available to be delivered. |
| MessageUnacknowledgedCount | Count | The number of messages for which the server is awaiting acknowledgement. |
| MessageCount | Count | The total number of MessageReadyCount and MessageUnacknowledgedCount (also known as queue depth). |
## Dimensions for RabbitMQ queue metrics
**Note**
Amazon MQ for RabbitMQ will not publish metrics for virtual hosts and queues with names containing blank spaces, tabs or other non-ASCII characters.
For more information about dimension names, see [Dimension](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_Dimension.html#API_Dimension_Contents) in the *Amazon CloudWatch API Reference*.
| Dimension | Description |
| --- | --- |
| Queue | The name of the queue. |
| VirtualHost | The name of the virtual host. |
| Broker | The name of the broker. |
## RabbitMQ network metrics
| Metric | Unit | Description |
| --- | --- | --- |
| NetworkOut | Bytes | The number of bytes sent out by the instance on all network interfaces. This metric identifies the volume of outgoing network traffic from a single instance. The number reported is the number of bytes sent during the period. If you are using basic (5-minute) monitoring and the statistic is Sum, you can divide this number by 300 to find Bytes/second. If you have detailed (1-minute) monitoring and the statistic is Sum, divide it by 60. You can also use the CloudWatch metric math function `DIFF_TIME` to find the bytes per second. For example, if you have graphed NetworkOut in CloudWatch as `m1`, the metric math formula `m1/(DIFF_TIME(m1))` returns the metric in bytes/second. For more information about `DIFF_TIME` and other metric math functions, see [Using metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html). **Meaningful Statistics:** Sum, Average, Minimum, Maximum |
| NetworkIn | Bytes | The number of bytes received by the instance on all network interfaces. This metric identifies the volume of incoming network traffic to a single instance. The number reported is the number of bytes received during the period. If you are using basic (5-minute) monitoring and the statistic is Sum, you can divide this number by 300 to find Bytes/second. If you have detailed (1-minute) monitoring and the statistic is Sum, divide it by 60. You can also use the CloudWatch metric math function `DIFF_TIME` to find the bytes per second. For example, if you have graphed NetworkIn in CloudWatch as `m1`, the metric math formula `m1/(DIFF_TIME(m1))` returns the metric in bytes/second. For more information about `DIFF_TIME` and other metric math functions, see [Using metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html). **Meaningful Statistics:** Sum, Average, Minimum, Maximum |
## Dimensions for RabbitMQ brokers
| Dimension | Description |
| --- | --- |
| BrokerId | Id of the broker |
## Configuring Amazon MQ for RabbitMQ logs
When you enable CloudWatch logging for your RabbitMQ brokers, Amazon MQ uses a service-linked role to publish general logs to CloudWatch. If no Amazon MQ service-linked role exists when you first create a broker, Amazon MQ will automatically create one. All subsequent RabbitMQ brokers will use the same service-linked role to publish logs to CloudWatch.
For more information about service-linked roles, see [ Using service-linked roles](https://docs.aws.amazon.com//IAM/latest/UserGuide/using-service-linked-roles.html) in the *AWS Identity and Access Management User Guide*. For more information about how Amazon MQ uses service-linked roles, see [Using service-linked roles for Amazon MQ](using-service-linked-roles.md).
# Logging Amazon MQ API calls using AWS CloudTrail
Amazon MQ is integrated with AWS CloudTrail, a service that provides a record of the Amazon MQ calls that a user, role, or AWS service makes. CloudTrail captures API calls related to Amazon MQ brokers and configurations as events, including calls from the Amazon MQ console and code calls from Amazon MQ APIs. For more information about CloudTrail, see the *[AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)*.
**Note**
CloudTrail doesn't log API calls related to ActiveMQ operations (for example, sending and receiving messages) or to the ActiveMQ Web Console. To log information related to ActiveMQ operations, you can [configure Amazon MQ to publish general and audit logs to Amazon CloudWatch Logs](security-logging-monitoring.md).
Using the information that CloudTrail collects, you can identify a specific request to an Amazon MQ API, the IP address of the requester, the requester's identity, the date and time of the request, and so on. If you configure a *trail*, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket. If you don't configure a trail, you can view the most recent events in the event history in the CloudTrail console. For more information, see [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) in the *[AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)*.
## Amazon MQ Information in CloudTrail
When you create your AWS account, CloudTrail is enabled. When a supported Amazon MQ event activity occurs, it is recorded in a CloudTrail event with other AWS service events in the event history. You can view, search, and download recent events for your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide*.
A trail allows CloudTrail to deliver log files to an Amazon S3 bucket. You can create a trail to keep an ongoing record of events in your AWS account. By default, when you create a trail using the AWS Management Console, the trail applies to all AWS Regions. The trail logs events from all AWS Regions and delivers log files to the specified Amazon S3 bucket. You can also configure other AWS services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following topics in the *AWS CloudTrail User Guide*:
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html)
+ [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
Amazon MQ supports logging both the request parameters and the responses for the following APIs as events in CloudTrail log files:
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-post)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-delete](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-delete)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-delete](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-delete)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#rest-api-broker-reboot-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#rest-api-broker-reboot-methods-post)
+ [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-put](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-put)
**Note**
RebootBroker log files are logged when you reboot the broker. During the maintenance window, the service automatically reboots, and RebootBroker log files are not logged.
**Important**
For the `GET` methods of the following APIs, the request parameters are logged, but the responses are redacted:
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-broker.html#rest-api-broker-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#rest-api-configuration-revision-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#rest-api-configuration-revision-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#rest-api-configuration-revisions-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#rest-api-configuration-revisions-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html#rest-api-configurations-methods-get)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-users.html#rest-api-users-methods-get](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-users.html#rest-api-users-methods-get)
For the following APIs, the `data` and `password` request parameters are hidden by asterisks (`***`):
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post) (`POST`)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-post) (`POST`)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-put](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html#rest-api-configuration-methods-put) (`PUT`)
[https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-put](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-user.html#rest-api-user-methods-put) (`PUT`)
Every event or log entry contains information about the requester. This information helps you determine the following:
+ Was the request made with root or user credentials?
+ Was the request made with temporary security credentials for a role or a federated user?
+ Was the request made by another AWS service?
For more information, see [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide*.
## Example Amazon MQ Log File Entry
A *trail* is a configuration that allows the delivery of events as log files to the specified Amazon S3 bucket. CloudTrail log files contain one or more log entries.
An *event* represents a single request from any source and includes information about the request to an Amazon MQ API, the IP address of the requester, the requester's identity, the date and time of the request, and so on.
The following example shows a CloudTrail log entry for a [https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-brokers.html#rest-api-brokers-methods-post) API call.
**Note**
Because CloudTrail log files aren't an ordered stack trace of public APIs, they don't list information in any specific order.
```
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/AmazonMqConsole",
"accountId": "111122223333",
"accessKeyId": "AKIAI44QH8DHBEXAMPLE",
"userName": "AmazonMqConsole"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "amazonmq.amazonaws.com",
"eventName": "CreateBroker",
"awsRegion": "us-west-2",
"sourceIPAddress": "203.0.113.0",
"userAgent": "PostmanRuntime/7.1.5",
"requestParameters": {
"engineVersion": "5.15.9",
"deploymentMode": "ACTIVE_STANDBY_MULTI_AZ",
"maintenanceWindowStartTime": {
"dayOfWeek": "THURSDAY",
"timeOfDay": "22:45",
"timeZone": "America/Los_Angeles"
},
"engineType": "ActiveMQ",
"hostInstanceType": "mq.m5.large",
"users": [
{
"username": "MyUsername123",
"password": "***",
"consoleAccess": true,
"groups": [
"admins",
"support"
]
},
{
"username": "MyUsername456",
"password": "***",
"groups": [
"admins"
]
}
],
"creatorRequestId": "1",
"publiclyAccessible": true,
"securityGroups": [
"sg-a1b234cd"
],
"brokerName": "MyBroker",
"autoMinorVersionUpgrade": false,
"subnetIds": [
"subnet-12a3b45c",
"subnet-67d8e90f"
]
},
"responseElements": {
"brokerId": "b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9",
"brokerArn": "arn:aws:mq:us-east-2:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9"
},
"requestID": "a1b2c345-6d78-90e1-f2g3-4hi56jk7l890",
"eventID": "a12bcd3e-fg45-67h8-ij90-12k34d5l16mn",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# Configuring Amazon MQ for ActiveMQ logs
To allow Amazon MQ to publish logs to CloudWatch Logs, you must [add a permission to your Amazon MQ user](#security-logging-monitoring-configure-cloudwatch-permissions) and also [configure a resource-based policy for Amazon MQ](#security-logging-monitoring-configure-cloudwatch-resource-permissions) before you create or restart the broker.
**Note**
When you turn on logs and publish messages from the ActiveMQ web console, the content of the message is sent to CloudWatch and displayed in the logs.
The following describes the steps to configure CloudWatch logs for your ActiveMQ brokers.
**Topics**
+ [Understanding the structure of logging in CloudWatch Logs](#security-logging-monitoring-configure-cloudwatch-structure)
+ [Add the `CreateLogGroup` permission to your Amazon MQ user](#security-logging-monitoring-configure-cloudwatch-permissions)
+ [Configure a resource-based policy for Amazon MQ](#security-logging-monitoring-configure-cloudwatch-resource-permissions)
+ [Cross-service confused deputy prevention](#security-logging-monitoring-configure-cloudwatch-confused-deputy)
## Understanding the structure of logging in CloudWatch Logs
You can enable *general* and *audit* logging when you configure advanced broker settings when you create a broker, or when you edit a broker.
General logging enables the default `INFO` logging level (`DEBUG` logging isn't supported) and publishes `activemq.log` to a log group in your CloudWatch account. The log group has a format similar to the following:
```
/aws/amazonmq/broker/b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9/general
```
[Audit logging](http://activemq.apache.org/audit-logging.html) enables logging of management actions taken using JMX or using the ActiveMQ Web Console and publishes `audit.log` to a log group in your CloudWatch account. The log group has a format similar to the following:
```
/aws/amazonmq/broker/b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9/audit
```
Depending on whether you have a [single-instance broker](amazon-mq-broker-architecture.md#single-broker-deployment) or an [active/standby broker](amazon-mq-broker-architecture.md#active-standby-broker-deployment), Amazon MQ creates either one or two log streams within each log group. The log streams have a format similar to the following.
```
activemq-b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9-1.log
activemq-b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9-2.log
```
The `-1` and `-2` suffixes denote individual broker instances. For more information, see [Working with Log Groups and Log Streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) in the *[Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/)*.
## Add the `CreateLogGroup` permission to your Amazon MQ user
To allow Amazon MQ to create a CloudWatch Logs log group, you must ensure that the user who creates or reboots the broker has the `logs:CreateLogGroup` permission.
**Important**
If you don't add the `CreateLogGroup` permission to your Amazon MQ user before the user creates or reboots the broker, Amazon MQ doesn't create the log group.
The following example [IAM-based policy](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#identity-based-policies-cwl) grants permission for `logs:CreateLogGroup` for users to whom this policy is attached.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
}
]
}
```
------
**Note**
Here, the term user refers to *Users* and not *Amazon MQ users*, which are created when a new broker is configured. For more information regarding setting up users and configuring IAM policies, please refer to the [Identity Management Overview](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html) section of the IAM User Guide.
For more information, see `[CreateLogGroup](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogGroup.html)` in the *Amazon CloudWatch Logs API Reference*.
## Configure a resource-based policy for Amazon MQ
**Important**
If you don't configure a resource-based policy for Amazon MQ, the broker can't publish the logs to CloudWatch Logs.
To allow Amazon MQ to publish logs to your CloudWatch Logs log group, configure a resource-based policy to give Amazon MQ access to the following CloudWatch Logs API actions:
+ `[CreateLogStream](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogStream.html)` – Creates a CloudWatch Logs log stream for the specified log group.
+ `[PutLogEvents](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html)` – Delivers events to the specified CloudWatch Logs log stream.
The following resource-based policy grants permission for `logs:CreateLogStream` and `logs:PutLogEvents` to AWS.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "mq.amazonaws.com" },
"Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ],
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
}
]
}
```
------
This resource-based policy *must* be configured by using the AWS CLI as shown by the following command. In the example, replace `us-east-1` with your own information.
```
aws --region us-east-1 logs put-resource-policy --policy-name AmazonMQ-logs \
--policy-document "{\"Version\": \"2012-10-17\", \"Statement\":[{ \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"mq.amazonaws.com\" },
\"Action\": [\"logs:CreateLogStream\", \"logs:PutLogEvents\"], \"Resource\": \"arn:aws:logs:*:*:log-group:\/aws\/amazonmq\/*\" }]}"
```
**Note**
Because this example uses the `/aws/amazonmq/` prefix, you need to configure the resource-based policy only once per AWS account, per region.
## Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
We recommend using the `[aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)` and `[aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount)` global condition context keys in your Amazon MQ resource-based policy to limit CloudWatch Logs access to one or more specified brokers.
**Note**
If you use both global condition context keys, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement.
The following example demonstrates a resource-based policy that limits CloudWatch Logs access to a single Amazon MQ broker.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "mq.amazonaws.com"
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012",
"aws:SourceArn": "arn:aws:mq:us-west-1:123456789012:broker:my-broker:123456789012"
}
}
}
]
}
```
------
You can also configure your resource-based policy to limit CloudWatch Logs access to all brokers in an account, as shown in the following.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"mq.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:mq:*:123456789012:broker:*"
},
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
------
For more information about the confused deputy security issue, see [The confused deputy problem](https://docs.aws.amazon.com/hIAM/latest/UserGuide/confused-deputy.html) in the *User Guide*.
# Troubleshooting CloudWatch Logs Configuration with Amazon MQ
In some cases, CloudWatch Logs might not always behave as expected. This section gives an overview of common issues and shows how to resolve them.
## Log Groups Don't Appear in CloudWatch
[Add the `CreateLogGroup` permission to your Amazon MQ user](configure-logging-monitoring-activemq.md#security-logging-monitoring-configure-cloudwatch-permissions) and reboot the broker. This allows Amazon MQ to create the log group.
## Log Streams Don't Appear in CloudWatch Log Groups
[Configure a resource-based policy for Amazon MQ](configure-logging-monitoring-activemq.md#security-logging-monitoring-configure-cloudwatch-resource-permissions). This allows your broker to publish its logs.