Why aren't my Amazon ECS container logs delivered to CloudWatch Logs?

Short description

Your Amazon ECS container logs might not be delivered to CloudWatch Logs for one of the following reasons:

• The awslogs log driver isn't correctly configured in your Amazon ECS task definitions.
• The AWS Identity and Access Management (IAM) role doesn't have the required permissions.
• The network isn't correctly configured.
• The log level for the container isn't correctly configured.

Resolution

The awslogs log driver isn't correctly configured

To send the container log information to CloudWatch Logs, you must correctly configure the containers in your tasks. When you define the parameters for your container, be sure that you correctly configure the logConfiguration parameter. If your Amazon ECS task definition involves multiple containers, then you must configure this parameter for each container. Also, you must add the awslogs log driver to the logConfiguration parameter in your task definition.

For Amazon Elastic Compute Cloud (Amazon EC2) launch types, complete the following additional tasks:

• Update your Amazon ECS container instance to version 1.9.0 or later of the container agent. For more information, see Updating the Amazon ECS container agent.
• For container instances that don't use the Amazon ECS-optimized AMI, specify the awslogs log driver on the container instance. When you use the following environment variable to start the agent, specify the awslogs log driver:

  ECS_AVAILABLE_LOGGING_DRIVERS='["json-file","awslogs"]'

For more information, see Installing the Amazon ECS container agent.

The IAM role doesn't have the required permissions

Complete the following tasks:

• For your IAM role for your Amazon ECS container instance, add logs:CreateLogStream and logs:PutLogEvents permissions.
• For AWS Fargate launch type, use the Amazon ECS task execution IAM role with logs:CreateLogStream and logs:PutLogEvents permissions. For more information, see Amazon ECS task execution IAM role.
• For Amazon EC2 launch type, check the following:
  For tasks that don't use the Amazon ECS task execution IAM role, grant logs:CreateLogStream and logs:PutLogEvents permissions to the container instance IAM role.
  For tasks that use the Amazon ECS task execution IAM role, update the value of the container agent parameter ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE to true.
  Note: When you use the Amazon ECS-optimized AMI with version 1.16.0 -1 or later of the ecs-init package, the default value of this parameter is true. On Windows, the default value of this parameter false. For more information, see Amazon ECS container agent configuration.

The network isn't correctly configured

Tasks that use the awslogs log driver with an Amazon Virtual Private Cloud (Amazon VPC) without an internet gateway must create a CloudWatch Logs endpoint. For more information, see Using CloudWatch Logs with interface VPC endpoints.

The log level for the container isn't correctly configured

The awslogs log driver passes the container logs that are the STDOUT and STDERR I/O streams from Docker to CloudWatch Logs. Update your application to send the logs to STDOUT and STDERR I/O streams. Configure the correct log level for your application during the container build. Depending on your application, you might set the log level through an environment variable or a configuration file.

Related information

Monitoring tools for Amazon ECS

How do I troubleshoot missing container logs for Amazon ECS or Amazon Elastic Kubernetes Service (Amazon EKS)?