This chapter covers two AWS logging agents: the legacy CloudWatch Logs Agent and the modern Unified CloudWatch Agent. Understanding the differences, configuration, and common exam traps is critical for the Monitoring domain of the SOA-C02 exam. Approximately 10-15% of exam questions touch on CloudWatch agents, log collection, and metric publishing. You will learn how each agent works internally, step-by-step setup, and the exact scenarios where one is preferred over the other.
Jump to a section
Imagine you manage a large forest where you need to monitor tree growth, soil conditions, and wildlife activity. You have two types of saws: an older, manual handsaw (like the CloudWatch Logs Agent) and a modern, electric chainsaw with multiple attachments (the Unified CloudWatch Agent). The handsaw is simple: it cuts wood only. You must carry it separately and it cannot measure anything else. In contrast, the chainsaw has a built-in computer that can log cutting time, wood hardness, blade temperature, and even the GPS location of each tree felled. With the handsaw, you write down measurements in a separate notebook; with the chainsaw, everything is recorded automatically and sent to a central dashboard. The Unified Agent is that chainsaw: it collects logs, metrics, and system performance data from your EC2 instances and on-premises servers, all in one place, with flexible configuration. The old Logs Agent only collects log files and sends them to CloudWatch Logs. For the SOA-C02 exam, you need to know when to use each tool and how to configure the unified agent to avoid common pitfalls.
What Are CloudWatch Agents?
Amazon CloudWatch Agents are software components that you install on EC2 instances or on-premises servers to collect logs and metrics and send them to AWS. The CloudWatch Logs Agent (often called the legacy agent) was the first iteration, designed solely to forward log files to CloudWatch Logs. The Unified CloudWatch Agent is the newer, recommended agent that can collect both logs and system metrics (CPU, memory, disk, network) and send them to CloudWatch Logs and CloudWatch Metrics.
Why Two Agents?
The legacy agent was limited. It could only push log data. As AWS evolved, customers needed a single agent to collect both logs and metrics for comprehensive monitoring. The Unified Agent was released in 2018 and is now the standard. AWS recommends using the Unified Agent for all new deployments. The legacy agent is still supported but not actively developed.
How the Legacy CloudWatch Logs Agent Works
The legacy agent is a Python-based daemon that runs on Linux instances. It monitors specified log files and sends new log events to a CloudWatch Logs log stream within a log group. Configuration is done via a JSON file at /etc/awslogs/awscli.conf and a separate config file at /etc/awslogs/config/.
- It uses the AWS CLI credentials from the instance metadata or a credentials file.
- It reads log files line by line and batches events before sending.
- Default batch size is 10,000 events or 1 MB, whichever is smaller.
- The agent uses a state file (/var/lib/awslogs/agent-state) to track which lines have been sent, ensuring no duplicates.
- It only supports Linux instances.
- It cannot collect custom metrics or system metrics.
How the Unified CloudWatch Agent Works
The Unified Agent is also Python-based but more modular. It can collect: - Logs: From files, and can filter, transform, and route them. - Metrics: CPU, memory, disk, network, swap, and custom metrics from collectd or statsd. - Procstat metrics: Process-level metrics like CPU and memory per process.
Configuration is done via a single JSON or TOML file, typically at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json. The agent supports both Linux and Windows Server.
Internal Mechanism:
- The agent runs as a service: amazon-cloudwatch-agent.
- It reads the configuration file and starts collectors.
- For logs, it uses file watchers (inotify on Linux) to detect new lines.
- For metrics, it uses system calls (e.g., /proc/stat on Linux, performance counters on Windows).
- Data is buffered and sent in batches to CloudWatch.
- The agent can also send metrics to CloudWatch using the PutMetricData API with a resolution of either standard (60 seconds) or high-resolution (1 second) if configured.
Key Components and Defaults
Legacy Agent:
- State file: /var/lib/awslogs/agent-state
- Log group default: /var/log/messages
- Batch size: 10,000 lines or 1 MB
- Credentials: Uses default AWS credential chain (instance profile > environment variables > ~/.aws/credentials).
Unified Agent:
- Configuration file: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
- State file: /opt/aws/amazon-cloudwatch-agent/logs/state
- Metrics collection interval: default 60 seconds, configurable down to 1 second.
- Log stream name: can be auto-generated using {instance_id}, {hostname}, or custom.
- Log group name: configurable per log file.
- Supported platforms: Amazon Linux, Ubuntu, CentOS, Red Hat, Windows Server 2012 R2 and later.
- The agent can also be configured via AWS Systems Manager Parameter Store or AWS Secrets Manager.
Configuration and Verification Commands
Installing the Unified Agent:
wget https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip
unzip AmazonCloudWatchAgent.zip
sudo ./install.shConfiguration Wizard:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizardThis interactive wizard produces a JSON config file.
Starting the Agent:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a start -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.jsonVerification:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a statusCheck CloudWatch Logs for log streams. Check CloudWatch Metrics for custom metrics.
Logs Example Config:
{
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/syslog",
"log_group_name": "system-logs",
"log_stream_name": "{instance_id}",
"timezone": "UTC"
}
]
}
}
}
}Metrics Example Config:
{
"metrics": {
"namespace": "CustomMetrics",
"metrics_collected": {
"cpu": {
"measurement": ["cpu_usage_idle", "cpu_usage_user"],
"metrics_collection_interval": 60
},
"mem": {
"measurement": ["mem_used_percent"],
"metrics_collection_interval": 60
}
}
}
}Interaction with Related Technologies
AWS Systems Manager: The Unified Agent can be installed and configured using SSM Run Command or State Manager associations. The configuration can be stored in Parameter Store.
CloudWatch Logs: Both agents send log events to CloudWatch Logs. Logs can then be used with Logs Insights for querying, or exported to S3, or streamed to AWS Lambda.
CloudWatch Metrics: The Unified Agent emits custom metrics that can be used with CloudWatch Alarms and dashboards.
IAM: Both agents require IAM permissions. The instance profile must have a policy allowing logs:PutLogEvents, logs:CreateLogStream, logs:DescribeLogStreams, and for the Unified Agent, cloudwatch:PutMetricData.
Legacy Agent vs Unified Agent: Key Differences
| Feature | Legacy Agent | Unified Agent | |---------|--------------|---------------| | Log collection | Yes | Yes | | Custom metrics | No | Yes | | Procstat metrics | No | Yes | | Windows support | No | Yes | | Configuration format | Two files (INI+JSON) | Single JSON/TOML | | Configuration wizard | No | Yes | | SSM integration | No | Yes | | High-resolution metrics | No | Yes | | Filtering/transformation | No | Yes (log filters) |
Common Exam Traps
Trap 1: The exam asks: "Which agent should you use to collect memory metrics?" Candidates often answer the legacy agent because they know it collects logs. Wrong. The legacy agent cannot collect metrics. Only the Unified Agent can collect memory metrics.
Trap 2: The exam describes a scenario with Windows servers. Candidates might choose the legacy agent. Wrong. The legacy agent does not support Windows. The Unified Agent does.
Trap 3: The exam asks about the configuration file location. For the Unified Agent, it's /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json. For the legacy agent, it's /etc/awslogs/awscli.conf and /etc/awslogs/config/.
Trap 4: The agent state file. The legacy agent uses /var/lib/awslogs/agent-state. The Unified Agent uses /opt/aws/amazon-cloudwatch-agent/logs/state. Candidates confuse these.
Performance Considerations
The Unified Agent can handle thousands of log files and hundreds of metrics. However, on very small instances (t2.nano), it may consume significant CPU. Use the metrics_collection_interval to reduce frequency.
For high-throughput log streams, increase the batch size. The default is fine for most cases.
The agent uses buffering; if the network is down, it will queue logs locally (up to a configurable limit).
Install the Unified CloudWatch Agent
Download the agent package from the Amazon S3 bucket appropriate for your OS. For Linux, use wget to fetch the zip file, unzip it, and run the install script with sudo. The script places the agent binaries in /opt/aws/amazon-cloudwatch-agent/. For Windows, download the .msi installer and run it. The agent is not installed by default on any AMI; you must explicitly install it. On Amazon Linux 2, you can use yum install amazon-cloudwatch-agent, but the standard method is the S3 download. Verify installation by checking the version: /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl --version.
Run the Configuration Wizard
Execute sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard. This interactive wizard asks questions about which logs and metrics to collect. It produces a JSON configuration file at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json. The wizard also optionally stores the config in AWS Systems Manager Parameter Store for fleet management. You can skip the wizard and manually write the JSON. The wizard is recommended for beginners because it sets correct defaults for log group names, stream names, and metric measurements.
Configure IAM Permissions
The EC2 instance must have an IAM role with a policy that allows CloudWatch actions. For logs, you need logs:PutLogEvents, logs:CreateLogStream, logs:DescribeLogStreams. For metrics, you need cloudwatch:PutMetricData. If using SSM for config storage, add ssm:GetParameter. Attach the CloudWatchAgentServerPolicy AWS managed policy to the instance role. Without correct permissions, the agent will fail silently. Common mistake: forgetting the logs:DescribeLogStreams permission, which causes the agent to fail to create new log streams.
Start the Agent with the Config File
Use the command: sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a start -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json. The -c flag specifies the configuration source. You can also use -c ssm:parameter-store-name to fetch config from Parameter Store. The agent reads the config, initializes collectors, and begins sending data. Check status with -a status. If the agent fails to start, check the logs at /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log.
Verify Data in CloudWatch
In the AWS Management Console, navigate to CloudWatch Logs and look for the log groups you configured. You should see log streams with the instance identifier. For metrics, go to CloudWatch Metrics and look under the custom namespace (default is CWAgent). You should see metrics like cpu_usage_idle, mem_used_percent, etc. Use CloudWatch Logs Insights to query log events. Allow a few minutes for data to appear. If nothing appears, check the agent log for errors like 'Unable to put log events' or 'Access Denied'. Also verify the system clock is correct (NTP).
Enterprise Scenario 1: Centralized Logging for Compliance
A financial services company must retain application logs for seven years to meet regulatory requirements. They have hundreds of EC2 instances running Linux and Windows. They use the Unified CloudWatch Agent to collect logs from all instances into a central CloudWatch Logs group per application. Logs are then exported to an S3 bucket using an export task (or via Kinesis Firehose) for long-term storage. The Unified Agent is chosen over the legacy agent because it supports Windows servers and can also collect system metrics for operational monitoring. In production, they configure the agent to use a log group per application and a log stream per instance. They set the log retention policy on the log group to 7 years. They also use CloudWatch Logs Insights to search for specific error patterns across all instances.
Enterprise Scenario 2: Custom Metrics for Auto Scaling
A SaaS provider runs a web application on an Auto Scaling group. They need to scale based on memory utilization, but the standard EC2 metrics do not include memory. They deploy the Unified CloudWatch Agent on each EC2 instance to publish memory metrics (mem_used_percent) to CloudWatch. They create a CloudWatch Alarm on the average memory utilization across the Auto Scaling group and use that to trigger scaling policies. The Unified Agent is configured with a metrics collection interval of 60 seconds. They also collect disk and network metrics for troubleshooting. In this scenario, the legacy agent would be insufficient because it cannot publish memory metrics.
Common Misconfigurations and Pitfalls
Missing IAM permissions: The agent cannot send data if the instance role lacks PutMetricData or PutLogEvents. Symptoms: agent logs show 'Access Denied' errors. Solution: Attach CloudWatchAgentServerPolicy.
Incorrect file paths: In the log configuration, if the file_path does not exist or is not readable, the agent will not collect logs. Ensure the agent runs as root or the file has appropriate permissions.
Time zone mismatches: If the log file timestamps are in a different timezone than the agent's configured timezone, the log events may appear with incorrect timestamps. Set the timezone field in the config to match the log source.
State file corruption: If the agent is killed abruptly, the state file may become corrupt, causing duplicate log entries or missed entries. Restart the agent to recreate the state file.
Exactly What SOA-C02 Tests
The SOA-C02 exam objectives under Domain 1 (Monitoring) include Objective 1.1: "Implement and manage monitoring for AWS resources." Specifically, you need to know how to:
Configure the CloudWatch Logs Agent and Unified CloudWatch Agent.
Understand the differences between the two agents.
Troubleshoot common issues like missing permissions or incorrect configuration.
Deploy agents at scale using AWS Systems Manager.
Top Wrong Answers and Why
Wrong answer: "Use the legacy agent to collect memory metrics." Candidates choose this because they know the legacy agent collects logs, and they think it can also collect metrics. Reality: The legacy agent cannot collect metrics. Only the Unified Agent can.
Wrong answer: "The Unified Agent configuration file is at /etc/awslogs/awscli.conf." Candidates confuse the legacy agent file path with the Unified Agent path. Reality: Unified Agent config is at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json.
Wrong answer: "Both agents support Windows." Candidates assume the legacy agent works on Windows because it's a common OS. Reality: Only the Unified Agent supports Windows.
Wrong answer: "The agent automatically configures itself." Candidates think agents have auto-discovery. Reality: You must explicitly configure log files and metrics via the config file or wizard.
Numbers and Terms to Memorize
Default batch size for legacy agent: 10,000 lines or 1 MB.
Default metrics collection interval for Unified Agent: 60 seconds.
Configuration file location for Unified Agent: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json.
State file location for Unified Agent: /opt/aws/amazon-cloudwatch-agent/logs/state.
Legacy agent state file: /var/lib/awslogs/agent-state.
Managed IAM policy: CloudWatchAgentServerPolicy.
Command to start agent: amazon-cloudwatch-agent-ctl -a start -c file:<path>.
Edge Cases and Exceptions
High-resolution metrics: The Unified Agent can emit metrics with a resolution of 1 second if you set metrics_collection_interval to 1 and specify "resolution": 1 in the config. This incurs higher charges.
Collectd integration: The Unified Agent can collect metrics from collectd, a popular system statistics daemon. You must enable the collectd plugin in the config.
Statsd integration: The agent can also receive statsd metrics from applications. You need to start the statsd server within the agent config.
Multiple config files: The Unified Agent supports only one config file. If you need multiple, you must merge them.
How to Eliminate Wrong Answers
When you see a question about which agent to use, ask yourself:
Does the scenario involve Windows? → Unified Agent only.
Does it require custom metrics (memory, disk, etc.)? → Unified Agent only.
Is it only about log collection on Linux? → Both work, but Unified is recommended.
Is there a mention of Systems Manager? → Unified Agent can use SSM.
Is there a mention of a configuration wizard? → Unified Agent has one.
If you see a question about troubleshooting, check the IAM permissions first. The most common cause of agent failure is missing permissions.
The Unified CloudWatch Agent is the recommended agent for all new deployments; the legacy agent is only for existing log-only setups.
The Unified Agent can collect custom metrics like memory and disk usage; the legacy agent cannot.
Only the Unified Agent supports Windows Server.
The Unified Agent configuration file is located at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json.
The legacy agent state file is at /var/lib/awslogs/agent-state; the Unified Agent state file is at /opt/aws/amazon-cloudwatch-agent/logs/state.
Both agents require IAM permissions: logs:PutLogEvents, logs:CreateLogStream, logs:DescribeLogStreams; the Unified Agent also needs cloudwatch:PutMetricData.
The Unified Agent can be installed and configured using AWS Systems Manager for fleet management.
The default metrics collection interval for the Unified Agent is 60 seconds, configurable down to 1 second for high-resolution metrics.
These come up on the exam all the time. Here's how to tell them apart.
CloudWatch Logs Agent (Legacy)
Only collects log files, no custom metrics
Linux-only support
Configuration split across two files (awscli.conf and config files)
No built-in configuration wizard
No integration with AWS Systems Manager
Unified CloudWatch Agent
Collects both logs and custom metrics (CPU, memory, disk, network, etc.)
Supports both Linux and Windows Server
Single JSON or TOML configuration file
Includes an interactive configuration wizard
Can be configured and deployed via AWS Systems Manager Parameter Store
Mistake
The CloudWatch Logs Agent can collect memory and disk metrics from EC2 instances.
Correct
The legacy CloudWatch Logs Agent can only collect and forward log files. It cannot collect system metrics. Only the Unified CloudWatch Agent can collect memory, disk, CPU, and other custom metrics.
Mistake
The Unified CloudWatch Agent is only for Linux instances.
Correct
The Unified Agent supports both Linux and Windows Server. The legacy agent is Linux-only.
Mistake
Both agents use the same configuration file location.
Correct
The legacy agent uses /etc/awslogs/awscli.conf and /etc/awslogs/config/. The Unified Agent uses /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json.
Mistake
The Unified Agent automatically discovers all log files on the instance.
Correct
You must explicitly specify which log files to collect in the configuration file. The agent does not auto-discover logs.
Mistake
You can use the legacy agent to send logs to CloudWatch Logs from Windows Server.
Correct
The legacy agent does not support Windows. Only the Unified Agent supports Windows Server.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The CloudWatch Logs Agent (legacy) only collects and forwards log files to CloudWatch Logs. It does not support custom metrics or Windows. The Unified CloudWatch Agent is the newer, recommended agent that collects both logs and system metrics (CPU, memory, disk, network) and supports both Linux and Windows. The Unified Agent also integrates with AWS Systems Manager and has a configuration wizard.
Download the agent from the S3 bucket using wget (Linux) or the .msi installer (Windows). For Linux: wget https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip, unzip, and run sudo ./install.sh. For Windows, download the .msi and run it. Then configure using the wizard or manual JSON, and start the agent with amazon-cloudwatch-agent-ctl.
The instance role must have permissions for logs:PutLogEvents, logs:CreateLogStream, logs:DescribeLogStreams for log collection, and cloudwatch:PutMetricData for custom metrics. The easiest way is to attach the AWS managed policy CloudWatchAgentServerPolicy to the instance role.
No. The legacy CloudWatch Logs Agent only supports Linux. For Windows, you must use the Unified CloudWatch Agent.
First, check the agent log file at /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log for errors. Common issues include missing IAM permissions (Access Denied), incorrect log file paths, or misconfigured time zones. Also verify the agent is running with amazon-cloudwatch-agent-ctl -a status. Ensure the instance has internet access to reach CloudWatch endpoints.
The default is 60 seconds. You can change it in the configuration file by setting the metrics_collection_interval field. To collect high-resolution metrics (1-second intervals), set the interval to 1 and also specify "resolution": 1 in the metric configuration.
Yes. During the configuration wizard, you can choose to store the config in Systems Manager Parameter Store. Then you can start the agent with -c ssm:parameter-name. This allows you to manage configurations centrally for many instances.
You've just covered CloudWatch Logs Agent and Unified Agent — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?