// Module included in the following assemblies:
//
// * security/rosa-forwarding-control-plane-logs.adoc
:_mod-docs-content-type: PROCEDURE
[id="rosa-set-up-cloudwatch-log-group_{context}"]
= Setting up the CloudWatch log group

[role="_abstract"]
If you have logs requiring immediate action or organization, set up an Amazon CloudWatch log group. 

.Prerequisites

* You have created an IAM role and policy. 

.Procedure

. Create the CloudWatch log group by running the following command: 
+
[source,terminal]
----
$ aws logs create-log-group –log-group-name <your_log_group_name>
----
+
. In your {product-title} cluster, configure the log forwarder to use the CloudWatch log group by applying the following JSON sample:  
+
[source,json]
----
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreatePutLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "<your_log_group_arn>:*"
        },
        {
            "Sid": "DescribeLogs",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": "*"
        }
    ]
}
----
+
. Attach the policy to the CloudWatch role by running the following command: 
+
[source,terminal]
----
$ aws iam put-role-policy \
    --role-name CustomerLogDistribution-RH \
    --policy-name Allow-CloudWatch-Writes \
    --policy-document file://cloudwatch-policy.json
----
+
. Configure your {product-title} cluster to forward logs to the CloudWatch log group by applying the following sample YAML list:  
+
[source,yaml]
----
cloudwatch:
  cloudwatch_log_role_arn: "arn:aws:iam::123456789012:role/RosaCloudWatch"
  cloudwatch_log_group_name: "rosa-logs"
  applications: 
    - "<example_app1>"
  groups: 
    - "<example_group1>"
----
<example_app1>:: Add one or more applications. For a list of applications, see the table in "Determining what log groups to use".
<example_group1>:: Add one or more of the following groups: `API`, `Authentication`, `Controller Manager`, `Scheduler`, and `Other`.
. Enable the log forwarder to send logs to your {product-title} cluster. 
.. To enable control plane log forwarding on a new cluster, include the log forwarding configuration by running the following command:  
+
[source,terminal]
----
$ rosa create cluster --log-fwd-config="<path_to_file>.yaml"
----
+
.. To enable control plane log forwarding on an existing cluster, include the log forwarding configuration by running the following command:    
+
[source,terminal]
----
$ rosa create log-forwarder -c <cluster> --log-fwd-config="<path_to_file>.yaml"
----