How do I resolve empty log issues in CloudWatch?

3 minute read

I want to resolve empty log issues in Amazon CloudWatch.


To resolve empty log issues in CloudWatch, complete the following steps:

Check the log group metrics

When data is ingested to CloudWatch, CloudWatch Logs generate log group metrics. The log group level metrics IncomingLogEvents and IncomingBytes receive data points when the log group receives data. If there's no data points in the specified time period, then the log group didn't receive data from the source.

Check that the source publishes data

If you use the unified CloudWatch Agent to publish log data to CloudWatch, then check that the CloudWatch agent runs with no errors. Make sure that the correct source log file path is included in the agent configuration. Also, make sure that the source log file has logs to push to CloudWatch. For more information, see How do I resolve my unified CloudWatch agent not pushing log events?

To test the connectivity from the source to the logs endpoint, run the following commands:

Note: Replace example-region with your required AWS Region.

telnet logs.<example-region> 443
nc -zv logs.<example-region> 443

If you have connectivity issues from the preceding commands, then check the following:

  • Check that the security groups and network access control lists (network ACLs) allow connectivity.
  • Check that the source has internet connectivity.
  • If you use Amazon Virtual Private Cloud (Amazon VPC) endpoints, then check the endpoints. Make sure that the endpoints resolve to an Amazon VPC IP address and the endpoint security group allows access from the source IP address.
  • Check that the PutLogEvents constraints are satisfied.

Review the permissions

Check that the source has permissions to publish data to the required log group. The following is a sample policy that you can use with the source AWS Identity and Access Management (IAM) policy:

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
      "Resource": [

If the log source creates new log groups and log streams when data is pushed to CloudWatch, then check the Action parameter of the policy. Make sure that the logs:CreateLogGroup and logs:CreateLogStream permissions are included.

To prevent AccessDenied errors when you read logs, make sure that the required IAM user or role has the minimum permissions for logs:GetLogEvents. If you use the AWS Management Console to view logs, then make sure you have the logs:DescribeLogGroups, logs:DescribeLogStreams, and logs:GetLogEvents permissions.

Check the log group configuration

For the log group, make sure that the retention period is set appropriately and that you retrieve logs that are present within the retention period. Logs that are deleted after their retention period expires are permanently deleted and can't be recovered.

AWS OFFICIALUpdated a month ago