Desktop and Application Streaming

Understand end-user access to Amazon WorkSpaces with Amazon CloudWatch

Customers often ask how to gain additional insights into how their users are connecting to WorkSpaces. In addition, customers want to know environments that do not meet the required client supported version. In a previous post, to analyze access patterns in Amazon WorkSpaces, we highlighted how this can be accomplished using Amazon QuickSight. This can also be accomplished without the need to set up additional services by using CloudWatch dashboards in your WorkSpaces Region.

In this post, I show how to create CloudWatch dashboards for insight into the actions of users. Dashboard examples include:

  • IP addresses connecting into WorkSpaces
  • Platforms connecting into WorkSpaces
  • Windows client versions connecting into WorkSpaces
  • Connections by WorkSpace directory
  • Table of client versions connecting to WorkSpaces
  • Table of WorkSpaces launched
  • Table of WorkSpaces removed
  • Table of WorkSpaces rebuilt
  • Table of WorkSpaces modified

Walkthrough

Time to read 20 minutes
Time to complete 30 minutes
Cost to complete Detailed cost information on CloudWatch can be found at: Amazon CloudWatch Pricing – Amazon Web Services (AWS)
Learning level 300
Services used

Amazon WorkSpaces

CloudWatch

CloudTrail

Prerequisites:

Step 1: Log WorkSpaces events

Set up WorkSpace events being stored to a log group, which is used by the dashboards.

  1. Open the CloudWatch console
  2. Select the AWS Region your WorkSpaces are hosted in
  3. In the navigation pane, choose Events->Rules. This will redirect to Amazon EventBridge
  4. Choose Create rule.
  5. For Event Source, do the following:
    1. Choose Event Pattern
    2. For Build event pattern to match events by service, set
      1. Service Name: WorkSpaces
      2. Event Type: WorkSpaces Access
  6. For Targets, select Add target, and then choose CloudWatch log group
  7. For the /aws/events value, enter WorkSpacesAccessLogs
  8. Select Configure details.
  9. For Rule definition, enter a name and description.
  10. Select Create rule.

Step 2 Create dashboard to show IP addresses connecting to WorkSpaces

In this step, you create a dashboard showing the IP addresses of clients connecting into WorkSpaces.

WorkSpace IP Addresses

  1. Open the CloudWatch console
  2. Select Dashboards from the Navigation menu. Select Create dashboard
  3. For the dashboard name, enter WorkSpacesInformation.
  4. For the widget type, select Pie.
  5. Select Logs for the data source.
  6. For Log Groups, select the log group created in Step 1 (WorkSpacesAccessLogs)
  7. Enter the following for the query: stats count() by detail.clientIpAddress | fields @timestamp, @message | filter source = "aws.workspaces" | fields detail.clientIpAddress
  8. Select Create widget
  9. Rename the widget to IP Addresses connecting into WorkSpaces
  10. Select Save

Step 3: Create a widget to show platforms connecting into WorkSpaces

In this step, you create a dashboard to showing the end-user platforms that are connecting into WorkSpaces.

Platforms Connecting to WorkSpaces

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type, select Pie.
  5. Select Logs for the data source.
  6. For Log Groups, select the group that was created in Step 1 (WorkSpacesAccessLogs)
  7. Enter the following for the query: statscount() by detail.clientPlatform | fields @timestamp@message | filter source = "aws.workspaces" | fields detail.clientPlatform
  8. Select Create widget
  9. Rename the widget to Platforms Connecting
  10. Select Save

Step 4: Create a widget for Windows Client Versions connecting into WorkSpaces

In this step, you build a dashboard showing the client versions for a specific client platform (for example Windows) that are connecting into WorkSpaces.

Windows Client Versions

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Click Add widget.
  4. For the Widget Type select Pie, and select Logs for the data source
  5. For Log Groups, select the group that was created in Step 1 (WorkSpacesAccessLogs)
  6. Enter the following for the query:statscount() by detail.clientVersion | fields @timestamp@message | filter source = "aws.workspaces" | filter detail.clientPlatform = "Windows" | fields detail.clientVersion
  1. For other platforms, replace the detail.clientPlatform additional options are:| filterdetail.clientPlatform = "OSX"| filter detail.clientPlatform = "iOS"| filter detail.clientPlatform = "Android"| filter detail.clientPlatform = "Linux"| filter detail.clientPlatform = "Web"
  2. Select Create widget
  3. Rename the widget to Client Versions – Windows. Replace Windows with the client platform that you selected in part 7 of this step.
  4. Select Save

Step 5: Create a widget for connections by WorkSpace directory

In this step, you create a dashboard to visualize users connecting by directory.

Connections by Directory

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type, select Bar
  5. Select Logs for the data source.
  6. For Log Groups, select the group that was created in Step 1 (WorkSpacesAccessLogs)
  7. Enter the following for the query: statscount() by detail.directoryId | fields @timestamp@message | filter source = "aws.workspaces" | fields detail.directoryId
  8. Select Create widget
  9. Rename the widget to Connections by Directory Service.
  10. Select Save

Step 6: Create a detailed table of client versions connections to WorkSpaces

This step gives a log of client versions connected to WorkSpaces.

WorkSpaces Client Versions

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type select Logs table, and select Logs for the data source.
  5. For Log Groups, select the group that was created in Step 1 (WorkSpacesAccessLogs)
  6. Enter the following for the query: fields@timestamp@message | fields account | fields region, detail.clientPlatform, detail.clientVersion, detail.workspaceId |display region, detail.clientPlatform, detail.clientVersion, detail.workspaceId
  7. Select Create widget
  8. Rename the widget to WorkSpaces client version.
  9. Select Save

Step 7: Create a table of WorkSpaces Launched

This step gives a log of WorkSpaces launched.

WorkSpaces Created

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type select Logs table, and select Logs for the data source
  5. For Log Groups, select the log group for CloudTrail in your WorkSpace Region.
  6. Enter the following for the query: fields@timestamp@message | filter eventName = "CreateWorkspaces" | fields awsRegion, responseElements.pendingRequests.0.userName, responseElements.pendingRequests.0.workspaceId |display awsRegion, responseElements.pendingRequests.0.userName, responseElements.pendingRequests.0.workspaceId
  7. Select Create widget
  8. Rename the widget to WorkSpaces Launched.
  9. Select Save

Step 8: Create a table of WorkSpaces removed

In this step, you create a table with a list of WorkSpaces that have been removed.

WorkSpaces Removed

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type select Logs table, and select Logs for the data source
  5. For Log Groups, select the log group for CloudTrail in your WorkSpace Region.
  6. Enter the following for the query: fields@timestamp@message |filter eventName = "TerminateWorkspaces" |fields awsRegion, requestParameters.terminateWorkspaceRequests.0.workspaceId |display awsRegion, requestParameters.terminateWorkspaceRequests.0.workspaceId
  7. Select Create widget
  8. Rename the widget to WorkSpaces Removed.
  9. Select Save

Step 9: Create a widget showing rebuilt WorkSpaces

In this step, you create a dashboard widget to show summary information on rebuilds of WorkSpaces.

WorkSpaces Rebuilt

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type select Logs table, and select Logs for the data source
  5. For Log Groups, select the log group for CloudTrail in your WorkSpace Region.
  6. Enter the following for the query: fields@timestamp@message |filter eventName = "RebuildWorkspaces" |fields awsRegion, requestParameters.rebuildWorkspaceRequests.0.workspaceId |display awsRegion, requestParameters.rebuildWorkspaceRequests.0.workspaceId
  7. Select Create widget
  8. Rename the widget to WorkSpaces Rebuild.
  9. Select Save

Step 10: Create a widget showing modified WorkSpaces

In this step, you create a dashboard widget to show detail information on modified WorkSpaces.

WorkSpaces Modified

  1. Open the CloudWatch console for your WorkSpaces Region
  2. Select Dashboards from the Navigation menu, and select WorkSpacesInformation
  3. Select Add widget.
  4. For the widget type select Logs table, and select Logs for the data source
  5. For Log Groups, select the log group for CloudTrail in your WorkSpace Region.
  6. For Log Groups, select the CloudTrail log group. Enter the following for the query: fields@timestamp@message |filter eventName = "ModifyWorkspaceProperties" |fields awsRegion, requestParameters.workspaceId, requestParameters.workspaceProperties.computeTypeName, requestParameters.workspaceProperties.runningMode, requestParameters.workspaceProperties.userVolumeSizeGib |display awsRegion, requestParameters.workspaceId, requestParameters.workspaceProperties.computeTypeName, requestParameters.workspaceProperties.runningMode, requestParameters.workspaceProperties.userVolumeSizeGib
  7. Select Create widget
  8. Rename the widget to WorkSpaces modified.
  9. Select Save

Conclusion

In this post, you created widgets to provide insight into how WorkSpaces are accessed. The widgets also give insight to changes that are made to the WorkSpaces in a Region. This can be further enhanced to get the client versions connecting from an IP address (location), or performing automation tasks on rebuild WorkSpaces. Dashboards can be customized to drill down into additional detail. For example, providing insights on when WorkSpaces are being used, the platform and also the client version. When creating CloudWatch Logs, by default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group. You can keep the indefinite retention, or choose a retention period between 10 years and one day. For more information on CloudWatch Logs, review the guide on Amazon CloudWatch Logs. For more information on CloudWatch dashboards, review the guide on using Amazon CloudWatch dashboards.