# Understanding CloudWatch Logs and reasons for skipping resources during Malware Protection for EC2 scan
<a name="malware-protection-auditing-scan-logs"></a>

GuardDuty Malware Protection for EC2 publishes events to your Amazon CloudWatch log group **/aws/guardduty/malware-scan-events**. For each of the events related to the malware scan, you can monitor the status and scan result of your impacted resources. Certain Amazon EC2 resources and Amazon EBS volumes may have been skipped during the Malware Protection for EC2 scan. 

## Auditing CloudWatch Logs in GuardDuty Malware Protection for EC2
<a name="mp-audit-cloudwatch-events"></a>

There are three types of scan events supported in the **/aws/guardduty/malware-scan-events** CloudWatch log group.


| Malware Protection for EC2 scan event name | Explanation | 
| --- | --- | 
|  `EC2_SCAN_STARTED`  |  Created when an GuardDuty Malware Protection for EC2 is initiating the process of malware scan, such as preparing to take a snapshot of an EBS volume.  | 
|  `EC2_SCAN_COMPLETED`  |  Created when GuardDuty Malware Protection for EC2 scan completes for at least one of the EBS volumes of the impacted resource. This event also includes the `snapshotId` that belongs to the scanned EBS volume. After the scan completes, the scan result will either be `CLEAN`, `THREATS_FOUND`, or `NOT_SCANNED`.  | 
|  `EC2_SCAN_SKIPPED`  |  Created when GuardDuty Malware Protection for EC2 scan skips all the EBS volumes of the impacted resource. To identify the skip reason, select the corresponding event, and view the details. For more information on skip reasons, see [Reasons for skipping resource during malware scan](#mp-scan-skip-reasons) below.   | 

**Note**  
If you're using an AWS Organizations, CloudWatch log events from member accounts in Organizations get published to both administrator account and member account's log group.

Choose your preferred access method to view and query CloudWatch events.

------
#### [ Console ]

1. Sign in to the AWS Management Console and open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, under **Logs**, choose **Log groups**. Choose the **/aws/guardduty/malware-scan-events** log group to view the scan events for GuardDuty Malware Protection for EC2. 

   To run a query, choose **Log Insights**. 

   For information about running a query, see [Analyzing log data with CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) in the *Amazon CloudWatch User Guide*.

1. Choose **Scan ID** to monitor the details of the impacted resource and malware findings. For example, you can run the following query to filter the CloudWatch log events by using `scanId`. Make sure to use your own valid *scan-id*.

   ```
   fields @timestamp, @message, scanRequestDetails.scanId as scanId
   | filter scanId like "77a6f6115da4bd95f4e4ca398492bcc0"
   | sort @timestamp asc
   ```

------
#### [ API/CLI ]
+ To work with log groups, see [Search log entries using the AWS CLI](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SearchDataFilterPattern.html#search-log-entries-cli) in the *Amazon CloudWatch User Guide*. 

  Choose the **/aws/guardduty/malware-scan-events** log group to view the scan events for GuardDuty Malware Protection for EC2. 
+ To view and filter log events, see [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html) and [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html), respectively, in the *Amazon CloudWatch API Reference*. 

------

## GuardDuty Malware Protection for EC2 log retention
<a name="malware-scan-event-log-retention"></a>

The default log retention period for **/aws/guardduty/malware-scan-events** log group is 90 days, after which the log events are deleted automatically. To change the log retention policy for your CloudWatch log group, see [ Change log data retention in CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention) in the *Amazon CloudWatch User Guide*, or [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutRetentionPolicy.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutRetentionPolicy.html) in the *Amazon CloudWatch API Reference*.

## Reasons for skipping resource during malware scan
<a name="mp-scan-skip-reasons"></a>

In the events related to the malware scan, certain EC2 resources and EBS volumes may have been skipped during the scanning process. The following table lists the reasons why GuardDuty Malware Protection for EC2 may not scan the resources. If applicable, use the proposed steps to resolve these issues, and scan these resources the next time GuardDuty Malware Protection for EC2 initiates a malware scan. The other issues are used to inform you about the course of events and are non-actionable. 


| Reasons for skipping | Explanation | Proposed steps | 
| --- | --- | --- | 
|  `RESOURCE_NOT_FOUND`  | The `resourceArn` provided to the initiate the on-demand malware scan was not found in your AWS environment. | Validate the `resourceArn` of your Amazon EC2 instance or container workload, and try again. | 
|  `ACCOUNT_INELIGIBLE`  | The AWS account ID from which you tried initiating an On-demand malware scan has not enabled GuardDuty. | Verify that GuardDuty is enabled for this AWS account. When you enable GuardDuty in a new AWS Region it may take up to 20 minutes to sync. | 
|  `UNSUPPORTED_KEY_ENCRYPTION`  |  GuardDuty Malware Protection for EC2 supports volumes that are both unencrypted and encrypted with customer managed key. It doesn't support scanning EBS volumes that are encrypted using [Amazon EBS encryption](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/EBSEncryption.html).  Presently, there is a regional difference where this skip reason is not applicable. For more information about these AWS Regions, see [Region-specific feature availability](guardduty_regions.md#gd-regional-feature-availability).  |  Replace your encryption key with a customer managed key. For more information on the types of encryption that GuardDuty supports, see [Supported Amazon EBS volumes for malware scan](gdu-malpro-supported-volumes.md).  | 
|  `EXCLUDED_BY_SCAN_SETTINGS`  |  The EC2 instance or EBS volume was excluded during the malware scan. There are two possibilities - either the tag was added to the inclusion list but the resource isn't associated with this tag, the tag was added to the exclusion list and the resource is associated with this tag, or the `GuardDutyExcluded` tag is set to `true` for this resource.  |  Update your scan options or the tags associated to your Amazon EC2 resource. For more information, see [Scan options with user-defined tags](malware-protection-customizations.md#mp-scan-options).  | 
|  `UNSUPPORTED_VOLUME_SIZE`  |  The volume is greater than 2048 GB.  |  Not actionable.  | 
|  `NO_VOLUMES_ATTACHED`  |  GuardDuty Malware Protection for EC2 found the instance in your account but no EBS volume was attached to this instance to proceed with the scan.  |  Not actionable.  | 
|  `UNABLE_TO_SCAN`  |  It is an internal service error.  |  Not actionable.  | 
|  `SNAPSHOT_NOT_FOUND`  |  The snapshots created from the EBS volumes and shared with the service account was not found, and GuardDuty Malware Protection for EC2 couldn't proceed with the scan.  |  Check CloudTrail to ensure that the snapshots were not removed intentionally.  | 
|  `SNAPSHOT_QUOTA_REACHED`  |  You have reached the maximum volume allowed for snapshots for each Region. This prevents not just retaining but also creating new snapshots.   |  You can either remove old snapshots or request for quota increase. You can view the default limit for Snapshots per Region and how to request quota increase under [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ebs-service.html#limits_ebs) in the *AWS General Reference Guide*.  | 
|  `MAX_NUMBER_OF_ATTACHED_VOLUMES_REACHED`  | More than 11 EBS volumes were attached to an EC2 instance. GuardDuty Malware Protection for EC2 scanned the first 11 EBS volumes, obtained by sorting the `deviceName` alphabetically. | Not actionable. | 
|  `UNSUPPORTED_PRODUCT_CODE_TYPE`  | GuardDuty can scan majority of instances with `productCode` as `marketplace`. Some marketplace instances may not be eligible for scanning. GuardDuty will skip such instances and log the reason as `UNSUPPORTED_PRODUCT_CODE_TYPE`. This support varies in AWS GovCloud (US) and China Regions. For more information, see [Region-specific feature availability](guardduty_regions.md#gd-regional-feature-availability). For more information, see [Paid AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/paid-amis.html) in the *Amazon EC2 User Guide*. For information on `productCode`, see [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ProductCode.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ProductCode.html) in the *Amazon EC2 API Reference*.   | Not actionable. |