How can I troubleshoot missing CloudWatch logs for API Gateway REST APIs?
4 minute read
I have activated Amazon CloudWatch logging for Amazon API Gateway, but I couldn't find any logs. How do I get the CloudWatch logs for troubleshooting API Gateway REST APIs?
You can use CloudWatch logging can be used to help debug issues related to request execution or client access to your API. CloudWatch logging includes execution logging and access logging.
For execution logging, API Gateway manages the CloudWatch logs including creating log groups and log streams. For access logging, you can create your own log groups or choose existing log groups.
Not all client-side errors rejected by API Gateway are logged into execution logs. For example, a client making an API request to an incorrect resource path of your REST API returns a 403 "Missing Authentication Token" response. This type of response isn't logged into execution logs. Use CloudWatch access logging to troubleshoot client-side errors.
Verify API Gateway permissions for CloudWatch logging
To activate CloudWatch Logs, you must grant API Gateway permission to read and write logs to CloudWatch for your account. The AmazonAPIGatewayPushToCloudWatchLogs managed policy has the required permissions.
4. In Stages, choose your stage, and then choose the Logs/Tracing tab.
5. In CloudWatch Settings, verify the following: Enable CloudWatch Logs is selected. Log level is set to INFO. Note: If Log level is set to ERROR, only requests for errors in API Gateway are logged. Successful API requests aren't logged. Log full requests/responses data and Enable Detailed CloudWatch Metrics are selected for additional log data. Note: It's a best practice not to enable Log full requests/responses data for production APIs which can result in logging sensitive data.
6. In Custom Access Logging, verify that Enable Access Logging is selected.
Verify logging method and override if necessary
By default, all API resources use the same configurations as their stage. This setting can be overridden to have different configurations for each method if you don't want to inherit from the stage.