AWS EC2 metadata

Parse metadata emitted by AWS EC2 instances

status: stable egress: stream state: stateless output: log
Enriches events with AWS EC2 environment metadata.

Requirements

Running this transform within Docker on EC2 requires 2 network hops. Users must raise this limit:

aws ec2 modify-instance-metadata-options --instance-id <ID> --http-endpoint enabled --http-put-response-hop-limit 2

Configuration

Example configurations

{
  "transforms": {
    "my_transform_id": {
      "type": "aws_ec2_metadata",
      "inputs": [
        "my-source-or-transform-id"
      ],
      "fields": [
        "instance-id"
      ],
      "namespace": null,
      "refresh_interval_secs": 10
    }
  }
}
[transforms.my_transform_id]
type = "aws_ec2_metadata"
inputs = [ "my-source-or-transform-id" ]
fields = [ "instance-id" ]
refresh_interval_secs = 10
---
transforms:
  my_transform_id:
    type: aws_ec2_metadata
    inputs:
      - my-source-or-transform-id
    fields:
      - instance-id
    namespace: null
    refresh_interval_secs: 10
{
  "transforms": {
    "my_transform_id": {
      "type": "aws_ec2_metadata",
      "inputs": [
        "my-source-or-transform-id"
      ],
      "endpoint": "http://169.254.169.254",
      "fields": [
        "instance-id"
      ],
      "namespace": null,
      "refresh_interval_secs": 10
    }
  }
}
[transforms.my_transform_id]
type = "aws_ec2_metadata"
inputs = [ "my-source-or-transform-id" ]
endpoint = "http://169.254.169.254"
fields = [ "instance-id" ]
refresh_interval_secs = 10
---
transforms:
  my_transform_id:
    type: aws_ec2_metadata
    inputs:
      - my-source-or-transform-id
    endpoint: http://169.254.169.254
    fields:
      - instance-id
    namespace: null
    proxy: null
    refresh_interval_secs: 10

endpoint

optional string literal
Override the default EC2 Metadata endpoint.
default: http://169.254.169.254

fields

common optional [string]
A list of fields to include in each event.
Array string literal
Examples
[
  "instance-id",
  "local-hostname"
]
default: [instance-id local-hostname local-ipv4 public-hostname public-ipv4 ami-id availability-zone vpc-id subnet-id region]

inputs

required [string]

A list of upstream source or transform IDs. Wildcards (*) are supported.

See configuration for more info.

Array string literal
Examples
[
  "my-source-or-transform-id",
  "prefix-*"
]

namespace

common optional string literal
Prepend a namespace to each field’s key.
Examples
""
"ec2"
"aws.ec2"

proxy

optional object
Configures an HTTP(S) proxy for Vector to use. By default, the globally configured proxy is used.

proxy.enabled

optional bool
If false the proxy will be disabled.
default: true

proxy.http

optional string literal
The URL to proxy HTTP requests through.
Examples
"http://foo.bar:3128"

proxy.https

optional string literal
The URL to proxy HTTPS requests through.
Examples
"http://foo.bar:3128"

proxy.no_proxy

optional [string]

A list of hosts to avoid proxying. Allowed patterns here include:

PatternExample match
Domain namesexample.com matches requests to example.com
Wildcard domains.example.com matches requests to example.com and its subdomains
IP addresses127.0.0.1 matches requests to 127.0.0.1
CIDR blocks192.168.0.0./16 matches requests to any IP addresses in this range
Splat* matches all hosts

refresh_interval_secs

common optional uint
The interval in seconds at which the EC2 Metadata api will be called.
default: 10

Environment variables

HTTPS_PROXY

common optional string literal

The global URL to proxy HTTPS requests through.

If another HTTPS proxy is set in the configuration file or at a component level, this one will be overridden.

The lowercase variant has priority over the uppercase one.

Examples
http://foo.bar:3128

HTTP_PROXY

common optional string literal

The global URL to proxy HTTP requests through.

If another HTTP proxy is set in the configuration file or at a component level, this one will be overridden.

The lowercase variant has priority over the uppercase one.

Examples
http://foo.bar:3128

NO_PROXY

common optional string literal

List of hosts to avoid proxying globally.

Allowed patterns here include:

PatternExample match
Domain namesexample.com matches requests to example.com
Wildcard domains.example.come matches requests to example.com and its subdomains
IP addresses127.0.0.1 matches requests to 127.0.0.1
CIDR blocks192.168.0.0./16 matches requests to any IP addresses in this range
Splat* matches all hosts

If another no_proxy value is set in the configuration file or at a component level, this one is overridden.

The lowercase variant has priority over the uppercase one.

Examples
localhost,.example.com,192.168.0.0./16
*

http_proxy

common optional string literal

The global URL to proxy HTTP requests through.

If another HTTP proxy is set in the configuration file or at a component level, this one will be overridden.

The lowercase variant has priority over the uppercase one.

Examples
http://foo.bar:3128

https_proxy

common optional string literal

The global URL to proxy HTTPS requests through.

If another HTTPS proxy is set in the configuration file or at a component level, this one will be overridden.

The lowercase variant has priority over the uppercase one.

Examples
http://foo.bar:3128

no_proxy

common optional string literal

List of hosts to avoid proxying globally.

Allowed patterns here include:

PatternExample match
Domain namesexample.com matches requests to example.com
Wildcard domains.example.come matches requests to example.com and its subdomains
IP addresses127.0.0.1 matches requests to 127.0.0.1
CIDR blocks192.168.0.0./16 matches requests to any IP addresses in this range
Splat* matches all hosts

If another no_proxy value is set in the configuration file or at a component level, this one is overridden.

The lowercase variant has priority over the uppercase one.

Examples
localhost,.example.com,192.168.0.0./16
*

Output

Logs

Log

Log event enriched with EC2 metadata
Fields
ami-id required string literal
The ami-id that the current EC2 instance is using.
Examples
ami-00068cd7555f543d5
availability-zone required string literal
The availability-zone that the current EC2 instance is running in.
Examples
54.234.246.107
instance-id required string literal
The instance-id of the current EC2 instance.
Examples
i-096fba6d03d36d262
instance-type required string literal
The instance-type of the current EC2 instance.
Examples
m4.large
local-hostname required string literal
The local-hostname of the current EC2 instance.
Examples
ip-172-31-93-227.ec2.internal
local-ipv4 required string literal
The local-ipv4 of the current EC2 instance.
Examples
172.31.93.227
public-hostname required string literal
The public-hostname of the current EC2 instance.
Examples
ec2-54-234-246-107.compute-1.amazonaws.com
public-ipv4 required string literal
The public-ipv4 of the current EC2 instance.
Examples
54.234.246.107
region required string literal
The region that the current EC2 instance is running in.
Examples
us-east-1
role-name required string literal
The role-name that the current EC2 instance is using.
Examples
some_iam_role
subnet-id required string literal
The subnet-id of the current EC2 instance’s default network interface.
Examples
subnet-9d6713b9
vpc-id required string literal
The vpc-id of the current EC2 instance’s default network interface.
Examples
vpc-a51da4dc

Telemetry

Metrics

link

component_received_event_bytes_total

counter
The number of event bytes accepted by this component either from tagged origins like file and uri, or cumulatively from other origins.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
container_name optional
The name of the container from which the data originated.
file optional
The file from which the data originated.
host required
The hostname of the system Vector is running on.
mode optional
The connection mode used by the component.
peer_addr optional
The IP from which the data originated.
peer_path optional
The pathname from which the data originated.
pid required
The process ID of the Vector instance.
pod_name optional
The name of the pod from which the data originated.
uri optional
The sanitized URI from which the data originated.

component_received_events_total

counter
The number of events accepted by this component either from tagged origins like file and uri, or cumulatively from other origins.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
container_name optional
The name of the container from which the data originated.
file optional
The file from which the data originated.
host required
The hostname of the system Vector is running on.
mode optional
The connection mode used by the component.
peer_addr optional
The IP from which the data originated.
peer_path optional
The pathname from which the data originated.
pid required
The process ID of the Vector instance.
pod_name optional
The name of the pod from which the data originated.
uri optional
The sanitized URI from which the data originated.

component_sent_event_bytes_total

counter
The total number of event bytes emitted by this component.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

component_sent_events_total

counter
The total number of events emitted by this component.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

events_in_total

counter
The number of events accepted by this component either from tagged origins like file and uri, or cumulatively from other origins. This metric is deprecated and will be removed in a future version. Use component_received_events_total instead.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
container_name optional
The name of the container from which the data originated.
file optional
The file from which the data originated.
host required
The hostname of the system Vector is running on.
mode optional
The connection mode used by the component.
peer_addr optional
The IP from which the data originated.
peer_path optional
The pathname from which the data originated.
pid required
The process ID of the Vector instance.
pod_name optional
The name of the pod from which the data originated.
uri optional
The sanitized URI from which the data originated.

events_out_total

counter
The total number of events emitted by this component. This metric is deprecated and will be removed in a future version. Use component_sent_events_total instead.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

metadata_refresh_failed_total

counter
The total number of failed efforts to refresh AWS EC2 metadata.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

metadata_refresh_successful_total

counter
The total number of AWS EC2 metadata refreshes.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

processed_bytes_total

counter
The number of bytes processed by the component.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
container_name optional
The name of the container from which the bytes originate.
file optional
The file from which the bytes originate.
host required
The hostname of the system Vector is running on.
mode optional
The connection mode used by the component.
peer_addr optional
The IP from which the bytes originate.
peer_path optional
The pathname from which the bytes originate.
pid required
The process ID of the Vector instance.
pod_name optional
The name of the pod from which the bytes originate.
uri optional
The sanitized URI from which the bytes originate.

processed_events_total

counter
The total number of events processed by this component. This metric is deprecated in place of using component_received_events_total and component_sent_events_total metrics.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

utilization

gauge
A ratio from 0 to 1 of the load on a component. A value of 0 would indicate a completely idle component that is simply waiting for input. A value of 1 would indicate a that is never idle. This value is updated every 5 seconds.
component_id required
The Vector component ID.
component_kind required
The Vector component kind.
component_name required
Deprecated, use component_id instead. The value is the same as component_id.
component_type required
The Vector component type.
host required
The hostname of the system Vector is running on.
pid required
The process ID of the Vector instance.

How it works

State

This component is stateless, meaning its behavior is consistent across each input.