Troubleshoot AWS monitoring setup
Read below how you can troubleshoot issues regarding your Dynatrace deployment for AWS monitoring.
Make sure that you have the latest version of Environment ActiveGate. Earlier versions (ActiveGate version 1.159 and earlier) contained a property with a different name. Set that property instead:
ActiveGate versions 1.159 and earlier
1[collector]2AWSAgentEnabled = true
If you configure a proxy for an ActiveGate deployed on an EC2 instance, with an attached IAM role, you must ensure that you exempt the address used to access the instance metadata. The address to exempt is the IP address of the instance metadata service, 169.254.169.254. This address is always the same and does not depend on the instance.
In the appropriate section your ActiveGate communication settings, specify proxy-non-proxy-hosts = 169.254.169.254.
For example:
1[http.client]2proxy-non-proxy-hosts = 169.254.169.254
You have two options:
-
Option 1.
Confirm that all ActiveGates that have AWS monitoring enabled can connect to AWS.
In case of role-based setup: Ensure that all ActiveGates that have AWS monitoring enabled have theActiveGaterole attached. -
Option 2.
Choose one ActiveGate you want to monitor your AWS account with. Any ActiveGate type will work as long as it can connect to AWS. On that ActiveGate edit thecustom.propertiesfile and set the following property totrue:
ActiveGate version 1.159 and earlier
1[collector]2AWSAgentEnabled = true
ActiveGate version 1.161 or later
1[aws_monitoring]2aws_monitoring_enabled = true
On all the other ActiveGates, set the property to false.
Add *.amazonaws.com to your firewall's list of allowed domains.
An error might occur when attaching a role to an EC2 instance. In such cases, you can use curl to retrieve the instance metadata to verify if the role is listed there. Use the following command:
1curl http://169.254.169.254/latest/meta-data/iam/info
If the attached role is still not listed in the instance metadata, it often helps to reattach it.
For more information, see Instance Metadata and User Data.
To monitor non-default AWS regions—Middle East (Bahrain), Africa (Cape Town), Asia Pacific (Hong Kong), Europe (Milan)—using role-based credentials, you need to modify the IAM STS settings in the AWS IAM console.
- In the AWS IAM console, go to Account settings.
- In Security Token Service (STS), select Edit to change Region compatibility of session tokens for
Global endpointto Valid in all AWS Regions. - Select Save changes.
For information about differences between built-in services and other services, see Migrate from AWS built-in services to cloud services.