C<\/span>:<\/span>\\Source<\/span>\\Application<\/span>\\web<\/span>\\logs<\/span>
\n<\/code><\/div>\n<\/div>\nTraffic to the application is variable. At low traffic, two EC2 instances may be sufficient. During peak traffic, the Auto Scaling Group may scale out to twenty or more instances.<\/p>\n
When traffic increases, new EC2 instances are launched and logs are generated normally. However, when traffic drops, Auto Scaling triggers scale-down events and terminates instances. When an instance is terminated, all logs stored locally on that instance are lost.<\/p>\n
This makes post-incident debugging and auditing difficult.<\/p>\n
Solution Overview<\/h2>\n
The goal is to synchronize logs from terminating EC2 instances before they are fully removed.<\/p>\n
This solution uses AWS services to trigger a PowerShell script through AWS Systems Manager at instance termination time. The script archives logs and uploads them to an S3 bucket with identifying information such as IP address and date.<\/p>\n
To achieve this, two prerequisites are required.<\/p>\n
\n- \n
Systems Manager must be able to communicate with EC2 instances<\/p>\n<\/li>\n
- \n
EC2 instances must have permission to write logs to Amazon S3<\/p>\n<\/li>\n<\/ol>\n
Environment Used<\/h2>\n
For this setup, the following AMI was used.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nMicrosoft<\/span> Windows<\/span> Server<\/span> 2012 <\/span>R2<\/span> Base<\/span>
\nAMI ID:<\/span> ami-0f7af6e605e2d2db5<\/span>
\n<\/code><\/div>\n![](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/cfa3a-blank2bdiagram.jpeg?w=300\")
<\/div>\n<\/div>\nStep 1 Configuring Systems Manager Access on EC2<\/h2>\n
SSM Agent is installed by default on Windows Server 2016 and on Windows Server 2003 to 2012 R2 AMIs published after November 2016.<\/p>\n
For older Windows AMIs, EC2Config must be upgraded and SSM Agent installed alongside it.<\/p>\n
The following PowerShell script upgrades EC2Config, installs SSM Agent, and installs AWS CLI.
Use this script only for instructional and controlled environments.<\/p>\n
PowerShell Script to Install Required Components<\/h3>\n\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\n# Create temporary directory if not present<\/span>
\nif<\/span> (!(Test-Path<\/span> -Path<\/span> C:\\Tmp)) {
\n New-Item<\/span> -ItemType<\/span> Directory -Path<\/span> C:\\Tmp
\n}<\/p>\nSet-Location<\/span> C:\\Tmp<\/p>\n# Download installers<\/span>
\nInvoke-WebRequest<\/span> \"https:\/\/s3.ap-south-1.amazonaws.com\/asg-termination-logs\/Ec2Install.exe\"<\/span> -OutFile<\/span> Ec2Config.exe
\nInvoke-WebRequest<\/span> \"https:\/\/s3.amazonaws.com\/ec2-downloads-windows\/SSMAgent\/latest\/windows_amd64\/AmazonSSMAgentSetup.exe\"<\/span> -OutFile<\/span> ssmagent.exe
\nInvoke-WebRequest<\/span> \"https:\/\/s3.amazonaws.com\/aws-cli\/AWSCLISetup.exe\"<\/span> -OutFile<\/span> awscli.exe<\/p>\n# Install EC2Config<\/span>
\nStart-Process<\/span> C:\\Tmp\\Ec2Config.exe -ArgumentList<\/span> \"\/Ec \/S \/v\/qn\"<\/span> -Wait<\/span>
\nStart-Sleep<\/span> -Seconds<\/span> 20<\/span><\/p>\n# Install AWS CLI<\/span>
\nStart-Process<\/span> C:\\Tmp\\awscli.exe -ArgumentList<\/span> \"\/Ec \/S \/v\/qn\"<\/span> -Wait<\/span>
\nStart-Sleep<\/span> -Seconds<\/span> 20<\/span><\/p>\n# Install SSM Agent<\/span>
\nStart-Process<\/span> C:\\Tmp\\ssmagent.exe -ArgumentList<\/span> \"\/Ec \/S \/v\/qn\"<\/span> -Wait<\/span>
\nStart-Sleep<\/span> -Seconds<\/span> 10<\/span><\/p>\nRestart-Service<\/span> AmazonSSMAgent<\/p>\nRemove-Item<\/span> C:\\Tmp -Recurse<\/span> -Force<\/span>
\n<\/code><\/div>\n<\/div>\nIAM Role for Systems Manager<\/h2>\n
The EC2 instance must have an IAM role that allows it to communicate with Systems Manager.<\/p>\n
Attach the following managed policy to the instance role.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nAmazonEC2RoleforSSM<\/span>
\n<\/code><\/div>\n<\/div>\nOnce attached, the role should appear under the instance IAM configuration.<\/p>\n
![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index.png\")
<\/p>\n
Step 2 Allowing EC2 to Write Logs to S3<\/h2>\n
The EC2 instance also needs permission to upload logs to S3.<\/p>\n
Attach the following policy to the same IAM role.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nAmazonS3FullAccess<\/span>
\n<\/code><\/div>\n<\/div>\nIn production environments, it is recommended to scope this permission to a specific bucket.<\/p>\n
![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index-1.png\")
<\/p>\n
PowerShell Script for Log Archival and Upload<\/h2>\n
Save the following script as shown below.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nC:\\Scripts\\termination.ps1<\/span>
\n<\/code><\/div>\n<\/div>\nThis script performs the following actions.<\/p>\n
\n- \n
Creates a date-stamped directory<\/p>\n<\/li>\n
- \n
Archives application logs<\/p>\n<\/li>\n
- \n
Uploads the archive to an S3 bucket<\/p>\n<\/li>\n<\/ul>\n
Log Synchronization Script<\/h3>\n\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\n$Date<\/span> = Get-Date<\/span> -Format<\/span> yyyy-MM-dd<\/span>
\n$InstanceName<\/span> = \"TerminationEc2\"<\/span>
\n$LocalIP<\/span> = Invoke-RestMethod<\/span> -Uri<\/span> \"http:\/\/169.254.169.254\/latest\/meta-data\/local-ipv4\"<\/span><\/p>\n$WorkDir<\/span> = \"C:\\Users\\Administrator\\workdir\\$InstanceName<\/span><\/span>-$LocalIP<\/span>-$Date<\/span>\\$Date<\/span>\"<\/p>\nif<\/span> (Test-Path<\/span> $WorkDir<\/span>) {
\n Remove-Item<\/span> $WorkDir<\/span> -Recurse<\/span> -Force<\/span>
\n}<\/p>\nNew-Item<\/span> -ItemType<\/span> Directory -Path<\/span> $WorkDir<\/span><\/p>\n$SourcePathWeb<\/span> = \"C:\\Source\\Application\\web\\logs\"<\/span>
\n$DestFileWeb<\/span> = \"$WorkDir<\/span><\/span>\\logs.zip\"<\/p>\nAdd-Type<\/span> -AssemblyName<\/span> \"System.IO.Compression.FileSystem\"<\/span>
\n[System.IO.Compression.ZipFile<\/span>]::CreateFromDirectory($SourcePathWeb<\/span>, $DestFileWeb<\/span>)<\/p>\n& \"C:\\Program Files\\Amazon\\AWSCLI\\bin\\aws.cmd\"<\/span> s3 cp<\/span> `
\n\"C:\\Users\\Administrator\\workdir\"<\/span> `
\n\"s3:\/\/terminationec2\"<\/span> `
\n--recursive<\/span> `
\n--region<\/span> us-east-1<\/span>
\n<\/code><\/div>\n<\/div>\nOnce executed manually, the script should complete successfully and upload logs to the S3 bucket.<\/p>\n
![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index-3.png\")
<\/span><\/p>\n![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index-4.png\")
<\/span><\/p>\nRunning the Script Using Systems Manager<\/h2>\n
To automate execution, run this script using Systems Manager Run Command<\/strong>.<\/p>\nSelect the target instance and choose the document.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nAWS-RunPowerShellScript<\/span>
\n<\/code><\/div>\n<\/div>\nConfigure the following.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nCommands:<\/span> .\\termination.ps1<\/span>
\nWorking Directory:<\/span> C:\\Scripts<\/span>
\nExecution Timeout:<\/span> 3600<\/span>
\n<\/code><\/div>\n<\/div>\nAuto Scaling Group Preparation<\/h2>\n
Ensure the AMI used by the Auto Scaling Group includes all the above configurations.<\/p>\n
Create an AMI from a configured EC2 instance and update the launch configuration or launch template.<\/p>\n
For this tutorial, the Auto Scaling Group is named.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\ngroup_kaien<\/span>
\n<\/code><\/div>\n<\/div>\nConfiguring CloudWatch Event Rule<\/h2>\n
Create a CloudWatch Event rule to trigger when an instance is terminated.<\/p>\n
Event Pattern<\/h3>\n\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\n{
\n \"source\"<\/span>: [\"aws.autoscaling\"<\/span>],
\n \"detail-type\"<\/span>: [
\n \"EC2 Instance Terminate Successful\"<\/span>,
\n \"EC2 Instance-terminate Lifecycle Action\"<\/span>
\n ],
\n \"detail\"<\/span>: {
\n \"AutoScalingGroupName\"<\/span>: [\"group_kaien\"<\/span>]
\n }
\n}<\/code><\/div>\n<\/div>\n\u00a0<\/div>\n![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index-11.png\")
<\/div>\nEvent Target Configuration<\/h2>\n
Set the target as Systems Manager Run Command.<\/p>\n
\n\n\n\u00a0<\/div>\n<\/div>\n<\/div>\nDocument:<\/span> AWS-RunPowerShellScript<\/span>
\nTarget:<\/span> Instance<\/span> ID<\/span>
\nCommand:<\/span> .\\termination.ps1<\/span>
\nWorking Directory:<\/span> C:\\Scripts<\/span>
\n<\/code><\/div>\n<\/div>\nThis ensures that whenever an instance is terminated, the PowerShell script runs and synchronizes logs to S3 before shutdown.<\/p>\n
![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index-12.png\")
<\/p>\n
Validation<\/h2>\n
Trigger scale-out and scale-down events by adjusting Auto Scaling policies.<\/p>\n
When instances are terminated, logs should appear in the S3 bucket with correct date and instance identifiers.<\/p>\n
![\"index\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2019\/01\/index-13.png\")
<\/strong><\/p>\nConclusion<\/h2>\n
This setup ensures that application logs are safely preserved even when EC2 instances are terminated by an Auto Scaling Group. Logs are archived with proper timestamps and instance information, making debugging and auditing much easier.<\/p>\n
With this approach, log retention is automated, reliable, and scalable for enterprise AWS environments.<\/p>\n
Stay tuned for more practical infrastructure solutions.<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction Logs play a critical role in any application or system. They provide deep visibility into what the application is doing, how requests are processed, and what caused an error. Depending on how logging is configured, logs may contain transaction history, timestamps, request details, and even financial information such as debits or credits. In enterprise … Continue reading “Log Parsing of Windows Servers on Instance Termination”<\/span><\/a><\/p>\n","protected":false},"author":171775670,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[44070,676319254,768739308,768739298,882627,178495],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-3t","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/215"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/171775670"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=215"}],"version-history":[{"count":15,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/215\/revisions"}],"predecessor-version":[{"id":30298,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/215\/revisions\/30298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}