How do I determine the cause of my deleted logs in Amazon CloudWatch?

Short description

By default, log data is stored in CloudWatch Logs indefinitely. However, you can configure the amount of time to store log data in a log group. To determine the cause of your deleted CloudWatch logs, you must view your retention policy settings for your log group. Any data older than the current retention setting is deleted.

Resolution

To view your current retention policy settings for a log group, complete the following steps:

1. Sign in to the CloudWatch console.
2. In the navigation pane, choose Log groups, and then select the required log group.
3. In the Actions dropdown list for that log group, select Edit Retention Setting(s).
4. In the pop-up window, the current retention setting configured for the log group appears. Any data older than the current retention setting is deleted. For example, if Expire events after is set to 90 days, then any data older than 90 days is deleted from the log group.

For more information, see Change log data retention in CloudWatch Logs.

To query the PutRetentionPolicy and DeleteRetentionPolicy APIs to view event history in AWS CloudTrail, complete the following steps:

1. Sign in to the CloudTrail console.
2. Select Event History.
3. Under Lookup Attributes, select Event Name from the dropdown list.
4. Enter the Event name. For example, PutRetentionPolicy or DeleteRetentionPolicy.
5. Choose filter by date and time to specify your search settings.

Note: The CloudTrail Event history is limited to the past 90 days of events. For more information, see Limitations of Event history.