Panopta offers native integration with AWS CloudWatch, enabling Panopta to ingest your CloudWatch monitoring data. As well, Panopta can perform automatic discovery and monitoring of instances within your AWS account. This is configurable by service type and region, and can also be fully customized using your AWS tags.
CloudWatch data should be used as an augmentation of, not a replacement for, the data obtained by the Panopta server agent and external monitoring. The server agent can provide more detailed and accurate data across any OS distribution or application you may be running on your compute instance. As well, our external monitoring ensures you're getting the full picture of your current operating environment as well as a view into what your customers are experiencing.
Connecting Panopta & CloudWatch
To grant Panopta access to your CloudWatch data, you'll need to create an external account role within your AWS account that is tied to Panopta's External AWS Account.
From the main navigation header, click Add. The Infrastructure and Resource Catalog will be displayed.
Enter an a name for the integration.
Follow the on-page instructions to create an IAM Policy and Role for the external Panopta account.
Once you've obtained your ARN, select Verify Connection.
Once your ARN has been validated, you can configure your monitoring settings.
Services: Select the AWS services you'd like to monitor. It's better to only select the ones you're using, otherwise, it uses vital API calls.
Filter Instances by Tag: You can choose to only import instances that match the AWS tag filters you define.
Regions: Only select the regions you operate in, otherwise, it uses vital API calls
Options - Import Tags: Enabling tag import will pull in your AWS tags with your AWS instances. You have the option to import only the Value portion of the AWS tag or the entire AWS key-value pair as a single string tag.
Options - Import AWS tags as Panopta Attributes: AWS tags will be imported as key-value pairs (attributes within Panopta).
Options - Routinely scan for new instances: every 20 minutes, we'll look for new instances in your account and will begin monitoring them assuming they meet your filter criteria. EC2 instances using the Panopta agent can be monitored immediately if you install the agent on boot.
Options - Apply Monitoring Policies: Apply a monitoring policy to the imported AWS instances.
Options - Destination Group: any time instances are imported, they'll be placed in this group in the control panel. This is great for setting default values which are inherited from their parent group as well as apply default templates.
Options - Template: apply a Template to every instance that's imported
Click Complete Integration. We'll start pulling in your instances that meet your filter criteria and begin monitoring them.
API Limits and Throttling
By default, each AWS account gets 1M CloudWatch API calls per month for free. When Panopta makes CloudWatch calls to obtain metrics (every 10 minutes), it utilizes your API calls quota. Due to the highly decoupled design of the CloudWatch API, calls have to be made on a per-instance-per-metric basis - this means API calls add up fast. We encourage you to utilize the Panopta agent on EC2 instances, not only for the cost savings but also for the increased functionality and granularity. You can read more about it here.
Once you exceed 1M CloudWatch calls for the month, AWS will charge your account $10 per 1M calls. You can read more about their pricing here.
In certain large-scale scenarios, AWS could begin throttling API calls. We will begin backing-off at that time. If you expect to utilize close to or the full 1M calls per month, we recommend reaching out to AWS to ask for a limit increase. If you'd like Panopta to collect CloudWatch metrics more often than every 10 minutes, please contact our support team. As well, you can override this at the metric level by editing the metric. Check out Templates to do this in bulk.
If you're running the agent (Linux version > 2017.40, Windows version > 18.34), EC2 metrics will be automatically added to your existing agent-based instances.
Example: if you have a Linux Virtual Machine instance you're already monitoring with the agent, and the agent version is > 2017.40, we won't create a second "EC2" instance with the CloudWatch connection - the new CloudWatch metrics will be added to your existing instance
EC2 Incident Confirmation
If you're monitoring an EC2 instance with external checks - such as HTTP, HTTPS, or Ping - and we identify an incident, we'll first confirm with AWS that the instance is still around. If it was gracefully removed, we will not alert. If the instance was not removed gracefully, we will alert as normal.
The following AWS integrations are supported (free or charged per instance):