Skip to content

Fix CloudWatch agent binary log files and startup issues #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
akuzminsky merged 3 commits into from
Dec 23, 2025
Merged

Fix CloudWatch agent binary log files and startup issues #216

akuzminsky merged 3 commits into from
Dec 23, 2025

Conversation

@akuzminsky
Copy link
Member

@akuzminsky akuzminsky commented Dec 23, 2025

Summary

  • Remove binary log files (btmp/wtmp) that CloudWatch agent cannot parse
  • Fix agent startup to properly resolve supplementary groups via systemd
  • Remove duplicate DiskSpaceUsed metric

Details

Binary log files removed

btmp and wtmp are binary files in utmp format that CloudWatch agent cannot parse as text logs, resulting in garbled data in log streams. Authentication data is already captured in auth.log in a parseable format, so these files are redundant.

Agent startup fix

Removed the -s flag from amazon-cloudwatch-agent-ctl command and added notify => Service[...] to ensure the agent starts via systemd. This fixes an issue where the agent process would start without supplementary groups (like adm) because the -s flag bypasses systemd's group resolution.

Cleanup

  • Removed utmp group from cwagent user (no longer needed without btmp/wtmp)
  • Removed duplicate DiskSpaceUsed metric from sandbox environment

Test plan

  • Verify CloudWatch agent starts with correct groups: cat /proc/$(pgrep -f amazon-cloudwatch)/status | grep Groups
  • Confirm auth.log is being collected in CloudWatch Logs
  • Verify no permission denied errors in agent logs

@akuzminsky
Archive already executed plans
2697537
@akuzminsky
Resolve conflicts
b64de94
@akuzminsky
Remove binary log files from CloudWatch agent configuration
1c41826 
btmp and wtmp are binary files in utmp format that CloudWatch agent
cannot parse as text logs, resulting in garbled data in the log streams.
Authentication data is already captured in auth.log in a parseable format.

Changes:
- Remove btmp/wtmp entries from CloudWatch agent templates
- Remove utmp group from cwagent user (no longer needed)
- Remove duplicate DiskSpaceUsed metric
- Fix agent startup: remove -s flag from amazon-cloudwatch-agent-ctl and
  add notify to Service resource for proper systemd group resolution
- Update logrotate postrotate comment for clarity

Applied to modules/profile and propagated to sandbox and development
environments.
@akuzminsky akuzminsky merged commit 8f0e252 into main Dec 23, 2025
2 checks passed
@akuzminsky akuzminsky deleted the common-pattern branch December 23, 2025 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infrahouse8 infrahouse8 infrahouse8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akuzminsky @infrahouse8