Archive for August, 2018

Next procedure will enable monitoring AWS status RSS feeds https://status.aws.amazon.com/

I modified this template and added troubleshooting steps for issues i experienced.

All files can be downloaded from here.

copy AWS_Service_Health_Dashboard.py script to /lib/zabbix//usr/lib/zabbix/externalscripts

pip install feedparser
pip install python-dateutil
 
#need to change System time zone to PDT, otherwise error occurs
 
#/usr/lib/python2.7/site-packages/dateutil/parser/_parser.py:1204: UnknownTimezoneWarning: tzname PDT identified but not understood.  Pass `tzinfos` argument in order to correctly return a timezone-aware datetime.  In a #future version, this will raise an exception.
  #category=UnknownTimezoneWarning)
#/usr/lib/python2.7/site-packages/dateutil/parser/_parser.py:1204: UnknownTimezoneWarning: tzname PST identified but not understood.  Pass `tzinfos` argument in order to correctly return a timezone-aware datetime.  In a #future version, this will raise an exception.
  #category=UnknownTimezoneWarning) 
 
#set PDT time zone to avoid above errors

timedatectl set-timezone America/Chicago

chmod +x AWS_Service_Health_Dashboard.py
chown zabbix:zabix WS_Service_Health_Dashboard.py

./AWS_Service_Health_Dashboard.py "-i" "3600" "-b" NA '-m' "TRUE"
#Output:
 
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000005"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000004"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000005"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000005"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000004"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000004"}

Create 4 hosts (one for each Region) :NA,SA,EU and AP

Set Visible name same as host name and add host to TIS Templates group

10.PNG

Attach template to all 4 hosts

If needed, disable items for services you don’t want to monitor
If full errors can’t be seen in Zabbix dashboard edit following file (CentOS 7)

vi /usr/share/zabbix/include/items.inc.php
apply value mapping
switch ($item['value_type']) {
case ITEM_VALUE_TYPE_STR:
$mapping = getMappedValue($value, $item['valuemapid']);
// break; is not missing here
case ITEM_VALUE_TYPE_TEXT:
case ITEM_VALUE_TYPE_LOG:
if ($trim && mb_strlen($value) > 80) {
$value = mb_substr($value, 0, 80).'...';

#restart Zabbix service

systemctl restart zabbix-service

If all is OK you should see something like this

11.PNG

Advertisements

Monitoring Azure resources with Zabbix

Posted: August 21, 2018 in Azure

I used this post as starting point.

Creating Azure application

(ID/keys will be used for authentication to Azure)

In Azure portal click Azure Active directory-App registrations-new App registration

1.png

2.PNG

In App registrations select All apps from drop-down menu-click on Zabbix application

3.png

Write down application ID (we’ll use it on scripts)

4.png

Click Settings-Keys-set a name,duration and click Save

5.png

Write down key

6.PNG

Write down TenantID

7.png

Write down Subscription ID-from Azure dashboard,click Cost Management + Billing under my subscription write subscription ID

8.png

Give application read rights to resource group

click on resource group-Access control (IAM)

Untitled.png

click Add-select Reader role-Assign access to Azure AD user,group or application and select Zabbix application

2

Install powershell on Zabbix server (CentOS)

# Register the Microsoft RedHat repository
curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo
# Install PowerShell
sudo yum install -y powershell

Copy all files in azure.zip to /usr/lib/zabbix/externalscripts, make sure *.sh files are executable

Supported services are SQL,storage account,Virtual Machines and Virtual Network gateway

All available services and metric: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-supported-metrics

Time periods (monitoring intervals) are called timegrains

time_grains = {
"PT1M" => "1 Minute",
"PT5M" => "5 Minutes",
"PT1H" => "1 Hour",
"PT12H" => "12 Hours"
}

In trapper.ps1 and azure.ps1 substitute TenantID,applicationID, application key in appropriate sections/

Files can be downloaded from here

Testing

For VM:

./azure.sh resource group subscription vm

For SQL:

./azure.sh resource group subscription sql

For network gateway:

./azure.sh resource group subscription vng

For Storage account

./azure.sh resource group subscription storage

[root@ip-172-31-27-77 externalscripts]# ./azure.sh RG  subscriptionD storage
{"data":[
{
"{#ID}": "/subscriptions/111-222-333/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/storageaccount",
"{#STORAGEACCOUNT}": "storageaccount"
},
{
"{#ID}": "/subscriptions/111-222-333/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/storageaccount",
"{#STORAGEACCOUNT}": "storageaccount"
},
{
"{#ID}": "/subscriptions/111-222-333/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/storageaccount",
"{#STORAGEACCOUNT}": "storageaccount"
}
]
}

give ownership of azure.json to zabbix user:

chown zabbix:zabbix azure.json

create dummy host and attach template, specify resource group and subscription ID

9.PNG

Test zabbix trapper:

./trapper.sh zabbix-dummy-host

if no issues,create cron job for trapper (for example to run it every 15 minutes):

*/15 * * * * /usr/lib/zabbix/externalscripts/trapper.sh dummy-host

Define Bandwidth to which traffic should be limited

Policy & Objects-Create New

2.PNG

Define max bandwith

 

4.PNG

 

Create Shaping policy

Policy & Objects-Traffic shaping policy

Source:LAN

Destination:all

In this example i limited bandwidth only for YouTube app so under Application i selected YouTube. Because i didn’t enable Application control in outgoing IPv4 policy i got warning

Outgoing interface:WAN interface

Shared Shaper:specify Traffic Shaper

Reverse Shaper: specify Traffic Shaper

Shared Shapers affect upload speeds and reverse shapers affect download speeds

5.PNG

Creating Outgoing IPv4 policy

Enable Application control edit policy

6.PNG

Select Social Media-Allow

 

7.PNG

If you try opening YouTube it will hang on “Loading”

8.PNG

Facebook, for example, opens without errors

9.PNG

We can see Shaping policy applied:

FortiView-Traffic Shaping

10.PNG

Hair-pinning (NAT loopback) is the technique where a machine accesses another machine on the LAN via an external network.

Traffic goes through LAN interface to the Internet,traffic then goes back to the same interface,connecting to it’s External IP. Traffic is then forwarded by Fortigate through virtual IP to local destination.

In this example, windows machine on LAN network hosts web server.From LAN machines, it can only be accessed by internal IP. If trying accessing Web server by public  IP (from machines on local network, it will fail

1.PNG

Create Virtual IP which will map Public IP to local IP of Web Server

Policy & Objects-Create new-Virtual IP

External IP range:Public IP

Mapped address range:Web Server local IP

Enable port forwarding

External Service port:Port from which traffic will be mapped

Map to port:Port to which traffic will be mapped

In this case traffic from Public IP on port 80 will be forwarded to same port on internal address

2.PNG

 

Creating IPV4 policy

Incoming and outgoing Interface:LAN interface

Source:all

destination:Virtual IP created in previous step

NAT disabled

 

3.PNG

Now, from machines on LAN, web site should be accessible using Public IP

4.PNG

After Fortigate is installed in AWS , by default, EC2 instances behind Fortigate cannot get to the internet.We need to set default route on Fortigate firewall.

Locating AWS VPC defult gateway

Amazon VPC has default gateway which usually has 1 as in last octet, to locate it click Network-Interfaces-click on WAN interface-Edit

2.PNG

 

3.png

 

Now create static route

 

Network-Static route-Create New

 

1.png

Specify 0.0.0.0/0.0.0.0 as destination

Gateway: IP defined in previous step

Interface:Fortigate internet faced interface

Administrative distance: it’s route metric, in my case,the highest value i could set was 4

 

4

 

Creating outgoing Policy 

Now we need to create outgoing policy from LAN network to the Internet

First,create Address object for defying LAN network:

Policy & Objects-Addresses-New-Create New Address

Type:Subnet

Interface:Any

 

6.PNG

Now create outgoing route in Fortigate

Incoming Interface: LAN interface

Outgoing interface:WAN

Source:LAN subnet

Destination:all

Service:All

Enable NAT in Firewall/Network options

5.PNG

Now, you should be able to browse internet from EC2 instance behind Fortigate firewall

In this example Site to Site VPN between 2 Fortigate Firewalls will be created.I simulated 2 different locations using different AWS regions

 

0.PNG

 

Ireland Fortigate Setup

VPN-IPsec Tunnels-Create New

 

1.PNG

click custom

 

2.PNG

For remote gateway specify Frankfurt Fortigate FW public IP, public facing interface

method (pre-shared key),Phase 1 encryption, DH groups, local and remote network

 

3.PNG

Phase 2 authentication

 

4.PNG

 

Now create 2 IPv4 Policies:

1.To allow outgoing traffic (from local-192.168.10.0/24 to remote network (172.31.110.0/24) specified in VPN settings

2.To allow incoming traffic (from remote-172.31.110.0/24 to local-192.168.10.0/24)

I created 2 Address objects:LAN (for local network and Remote (for remote network)

Policy & Objects-Addresses-New Address

Type:subnet

Interface:Any

Creating Incoming IPV Policy (from remote to local)

Incoming interface:VPN interface

Outgoing interface:LAN insterface

Source:Remote newtork

Destination:Local network

disable nat

 

5.PNG

 

Outgoing IPv4 Policy (from local to remote network)

Incoming interface:Lan interface

Outgoing interface:VPN interface

Source:LAN network

Destination:Remote network

Disable NAT

6.PNG

 

Creating static route

Now we need to create route to remote network (172.31.110.0/24) through VPN interface

Network-Static routes-Destination

Subnet-specify subnet

Interface:VPN interface

7.PNG

 

Creating VPN connection from Frankfurt Fortigate

 

Now we need to create exactly same configuration from other side (Frankfurt Firewall).Only difference is remote peer IP and local and remote network.

-create VPN tunnel

-create incoming IP policy

-create outgoing IP policy

-create static route

 

Creating VPN tunnel

8.PNG

Local network:172.31.110.0/24

Remote network:192.168.10.0/24

 

Incoming policy

 

9.PNG

 

10.PNG

and static route to 192.168.10.0/24 through VPN interface

Now VPN conencttion should be operational

 

11.PNG

 

 

This is combination of https://github.com/wawastein/zabbix-cloudwatch and https://github.com/omni-lchen/zabbix-cloudwatch with some modifications from my side (added LLD for Lambda,EBS and Application Load Balancer.

IAM user  has been created with following 2 IAM policies:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"lambda:ListFunctions",
"sns:GetTopicAttributes",
"lambda:ListVersionsByFunction",
"lambda:ListAliases",
"sns:ListTopics",
"sns:GetPlatformApplicationAttributes",
"sns:ListSubscriptions",
"sns:GetSubscriptionAttributes",
"sns:CheckIfPhoneNumberIsOptedOut",
"sns:ListEndpointsByPlatformApplication",
"sns:ListPhoneNumbersOptedOut",
"sns:GetEndpointAttributes",
"lambda:ListEventSourceMappings",
"sns:ListPlatformApplications",
"sns:GetSMSAttributes"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"elasticmapreduce:ListBootstrapActions",
"logs:DescribeSubscriptionFilters",
"logs:DescribeMetricFilters",
"ec2:DescribeSnapshots",
"ec2:DescribeHostReservationOfferings",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListInstances",
"ec2:DescribeVolumeStatus",
"elasticmapreduce:ListSecurityConfigurations",
"ec2:DescribeScheduledInstanceAvailability",
"ec2:DescribeVolumes",
"rds:DownloadDBLogFilePortion",
"ec2:DescribeFpgaImageAttribute",
"ec2:DescribeExportTasks",
"logs:FilterLogEvents",
"ec2:DescribeKeyPairs",
"s3:GetIpConfiguration",
"logs:DescribeDestinations",
"ec2:DescribeReservedInstancesListings",
"elasticmapreduce:DescribeSecurityConfiguration",
"events:DescribeRule",
"s3:GetBucketWebsite",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeSnapshotAttribute",
"elasticmapreduce:ListSteps",
"ec2:DescribeIdFormat",
"s3:GetBucketNotification",
"cloudwatch:GetMetricStatistics",
"s3:GetReplicationConfiguration",
"ec2:DescribeVolumeAttribute",
"events:TestEventPattern",
"ec2:DescribeImportSnapshotTasks",
"rds:DescribeReservedDBInstances",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:GetPasswordData",
"ec2:DescribeScheduledInstances",
"ec2:DescribeImageAttribute",
"cloudwatch:DescribeAlarms",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeSubnets",
"logs:ListTagsLogGroup",
"ec2:DescribeMovingAddresses",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"ec2:DescribeRegions",
"ec2:DescribeFlowLogs",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeVpcAttribute",
"cloudwatch:ListMetrics",
"rds:DescribeReservedDBInstancesOfferings",
"elasticmapreduce:DescribeStep",
"cloudwatch:DescribeAlarmHistory",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"rds:DescribeDBInstances",
"rds:DescribeEngineDefaultClusterParameters",
"ec2:DescribeVpcEndpointConnections",
"rds:DescribeEventCategories",
"ec2:DescribeInstanceStatus",
"rds:DescribeEvents",
"s3:ListBucketMultipartUploads",
"ec2:DescribeHostReservations",
"ec2:DescribeBundleTasks",
"logs:TestMetricFilter",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeClassicLinkInstances",
"s3:GetBucketVersioning",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"ec2:DescribeFpgaImages",
"s3:ListAllMyBuckets",
"rds:ListTagsForResource",
"ec2:DescribeVpcs",
"s3:GetBucketCORS",
"s3:GetObjectVersion",
"ec2:DescribeStaleSecurityGroups",
"s3:GetObjectVersionTagging",
"ec2:DescribeVolumesModifications",
"ec2:GetHostReservationPurchasePreview",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"rds:DescribeEngineDefaultParameters",
"ec2:DescribePlacementGroups",
"ec2:GetConsoleScreenshot",
"ec2:DescribeInternetGateways",
"s3:GetObjectAcl",
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:GetLaunchTemplateData",
"events:ListRuleNamesByTarget",
"cloudwatch:DescribeAlarmsForMetric",
"ec2:DescribeSpotDatafeedSubscription",
"cloudwatch:ListDashboards",
"s3:GetObjectVersionAcl",
"logs:GetLogEvents",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"ec2:DescribeAccountAttributes",
"events:ListRules",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeReservedInstances",
"elasticloadbalancing:DescribeInstanceHealth",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"events:ListTargetsByRule",
"ec2:DescribeEgressOnlyInternetGateways",
"cloudwatch:GetDashboard",
"ec2:DescribeLaunchTemplates",
"rds:DescribeDBSnapshots",
"elasticmapreduce:ViewEventsFromAllClustersInConsole",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeVpcEndpointServiceConfigurations",
"rds:DescribeDBSecurityGroups",
"ec2:DescribePrefixLists",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeVpcClassicLink",
"s3:ListMultipartUploadParts",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"events:DescribeEventBus",
"s3:GetObject",
"logs:DescribeExportTasks",
"rds:DescribeOrderableDBInstanceOptions",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeElasticGpus",
"rds:DescribeCertificates",
"ec2:DescribeVpnGateways",
"rds:DescribeOptionGroups",
"s3:ListBucketByTags",
"ec2:DescribeAddresses",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBSubnetGroups",
"cloudwatch:GetMetricData",
"logs:DescribeLogStreams",
"ec2:DescribeInstanceAttribute",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"ec2:DescribeDhcpOptions",
"s3:GetAccelerateConfiguration",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeDBParameterGroups",
"elasticmapreduce:DescribeCluster",
"s3:GetBucketPolicy",
"ec2:GetConsoleOutput",
"ec2:DescribeSpotPriceHistory",
"s3:GetObjectVersionTorrent",
"s3:GetEncryptionConfiguration",
"ec2:DescribeNetworkInterfaces",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"elasticmapreduce:ListClusters",
"s3:GetMetricsConfiguration",
"rds:DescribeDBParameters",
"logs:DescribeResourcePolicies",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterParameters",
"rds:DescribeEventSubscriptions",
"logs:DescribeLogGroups",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeTags",
"elasticloadbalancing:DescribeTags",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImportImageTasks",
"rds:DescribeDBLogFiles",
"ec2:DescribeNatGateways",
"s3:GetBucketAcl",
"ec2:DescribeCustomerGateways",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"s3:GetObjectTorrent",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSecurityGroupReferences",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeOptionGroupOptions",
"rds:DownloadCompleteDBLogFile",
"s3:GetBucketLocation",
"ec2:DescribeConversionTasks",
"rds:DescribeDBClusters",
"rds:DescribeAccountAttributes",
"elasticmapreduce:DescribeJobFlows",
"rds:DescribeDBClusterParameterGroups"
],
"Resource": "*"
}
]
}

Prerequisites:

yum install epel-release
yum install python-pip
yum install jq
pip install boto
pip instal boto3

unzip cloudwatch  zip file and copy content:

aws.discovery, awsLLD.sh and cloudwatch.metric to /usr/lib/zabbix/externalscripts ,make sure files are executable (chmod +x )

Unzip scripts.zip content (it’s folder named scripts) and copy that folder to /usr/lib/zabbix (as in picture bellow-enter IAM user credentails in aws.conf file)

1.PNG

Copy content of cloudwatch_aws.zip (cloudwatch folder) to /opt/zabbix (create that folder if doesn’t exist)

Inside this folders there is file awscred, enter IAM user credentials (i was lazy to point credentials to same file 🙂 )

Make sure following files are set as executable

2.PNG

3.PNG

Test if it works:

/usr/lib/zabbix/scripts/aws_discovery.py --account default --region eu-west-1 --service s3
/usr/lib/zabbix/scripts/aws_discovery.py --account default --region eu-west-1 --service rds
[root@ip-172-31-27-77 scripts]# ./aws_discovery.py --account default --region eu-west-1 --service s3
{"data": [{"{#BUCKET_NAME}": "bucket1"}, {"{#BUCKET_NAME}": "bucket2"}]}

[root@ip-172-31-27-77 scripts]# /usr/lib/zabbix/scripts/aws_discovery.py --account default --region eu-west-1 --service rds
{"data": [{"{#RDS_ID}": "mydb", "{#STORAGE}": 111111}, {"{#RDS_ID}": "mytestore", "{#STORAGE}": 11111},]}

/opt/zabbix/cloudwatch/zabbix-cloudwatch/awsLLD.py -a 'default' -r 'eu-west-1' -q 'ApplicationELB' -c ''
/opt/zabbix/cloudwatch/zabbix-cloudwatch/awsLLD.py -a 'default' -r 'eu-west-1' -q 'EBS' -c ''
/opt/zabbix/cloudwatch/zabbix-cloudwatch/awsLLD.py -a 'default' -r 'eu-west-1' -q 'SNSTopics' -c ''
/opt/zabbix/cloudwatch/zabbix-cloudwatch/awsLLD.py -a 'default' -r 'eu-west-1' -q 'LambdaFunction' -c ''

./awsLLD.py -a 'default' -r 'eu-west-1' -q 'LambdaFunction' -c ''
{
"data": [
{
"{#AWS_REGION}": "eu-west-1",
"{#AWS_ACCOUNT}": "default",
"{#FUNCTION_INAME}": "myfunction",
"{#FUNCTION_NAME}": "myfunction"
}]
}

If something is wrong, probably some prerequisites are not installed properly or files/folder copied to wrong path or some scripts have no +x flag

Creating Zabbix hosts

Create Zabbix hosts for every AWS region where services resides

4.PNG

Attaching Zabbix templates

https://1drv.ms/u/s!AizscpxS0QM4hJ0d_JvivLGeu8nWxg

Create full clone of template for every region and attach it to hosts.

Every template has macros with AWS Zone, change it if needed

4.PNG

Create cron jobs for every resource you want to monitor for Application Load Balancer,EBS,SNS and Lambda

# Lambda monitoring


#--Ireland


*/15 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/cron.Lambda.sh "mylambda" "Ireland" "localhost" "default" "eu-west-1" &>/dev/null




# SNS monitoring





#----London

*/10 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/cron.SNS.sh " aws-config" "London" "localhost" "default" "eu-west-2" &>/dev/null
*



#Application Load Balancer-----------------------------------------------------------------

*/10 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/cron.ApplicationELB.sh "app/loadbalancer/" "Ireland" "localhost" "default" "eu-west-1"


#EBS monitoring----------------------------------------------------------------------
*/12 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/cron.EBS.sh "vol-11111111" "aws_north_virginia" "localhost" "default" "us-east-1" &>/dev/null
*

#Ireland


*/10 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/cron.EBS.sh "vol-059d78926c41b79c4" "Ireland" "localhost" "default" "eu-west-1" &>/dev/null

 

Make sure all files in /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d are executable

 

5.PNG