Review the installation method for the CloudWatch agent
It's a best practice to install the CloudWatch agent at launch using AWS CloudFormation, AWS Systems Manager Agent (SSM Agent), user data scripts, or the AWS CLI. It is also a best practice to create an AMI before installing the CloudWatch agent. AMIs typically capture unique information from the original instance. Metadata becomes out of sync, and this state can lead to the CloudWatch agent not working as intended. Out-of-sync metadata is the reason that many Windows instances require Sysprep when working with AMI. For more information, see How can I use Sysprep to create and install custom reusable Windows AMIs in Amazon EC2?
Confirm that you're using the latest version of the CloudWatch agent
Be sure that the specified Region matches the console Region
Verify that logs are checked in the correct account
Optionally, you can use the common-config.toml file to override system defaults for the CloudWatch agent. These system defaults include the proxy, Region, and credential information for the agent. The file is available in the following locations.
The CloudWatch agent uses credentials from either the IAM user or IAM role policy to push log events to the CloudWatch service. Before a log event can be published, you must create a log group and log stream. If there's no log group or log stream, the CloudWatch agent creates them.
Note: Logs might be specified in a custom logfile location. Check the agent configuration file to identify any custom log locations.
In the agent configuration file, enable verbose debug logging using the debug parameter. If you're using the run_as_user parameter, confirm that the user has permissions to the log location path. Without the necessary permissions, the CloudWatch agent can't write logs to the location.
Resolve timestamp issues
Check for log event timestamps that are older than 14 days or more than two hours in the future. The PutLogEvents command doesn't allow log batches in either time frame.