How do I stream CloudWatch Logs live via AWS CLI?

To stream CloudWatch Logs live via AWS CLI, you need to use the start-live-tail command, not aws logs tail. The Live Tail streaming CLI support was announced in June 2024 and allows you to view, search, and filter log events in real-time.

Here's the basic command structure:

aws logs start-live-tail --log-group-identifiers "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME"

You can also filter by specific log streams:

aws logs start-live-tail --log-group-identifiers "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME" --log-stream-names "stream1" "stream2"

Important notes:

• The Log Group ARN must be in the format shown above (replace REGION, ACCOUNT_ID, and LOG_GROUP_NAME with your values)
• You can provide up to 10 Log Group Identifiers
• If you specify multiple log groups, you cannot use the --log-stream-names option
• You cannot use --log-stream-names and --log-stream-name-prefixes simultaneously

Regarding the "permission denied" error, you need to ensure you have the necessary IAM permissions to perform the Live Tail operation. Make sure your IAM user or role has permissions to access CloudWatch Logs and specifically to use the Live Tail feature.

The Live Tail session can run in interactive mode (default) or print-only mode and can last for up to 3 hours. Note that Live Tail sessions incur charges based on usage time.
Sources
start-live-tail — AWS CLI 2.27.34 Command Reference
Troubleshoot with CloudWatch Logs Live Tail - Amazon CloudWatch Logs
Amazon CloudWatch Logs announces Live Tail streaming CLI support - AWS