Questions tagged with Amazon CloudWatch Logs

Hi there. We have an IAM user called mlops1. We would like mlops1 to be able to use the AWS console to view logs in CloudWatch, but only a certain log group. This is what the allowed actions look like in our IAM policy (note that the Account ID has been redacted): { "Effect": "Allow", "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:us-east-1:<account_id>:log-group:/aws/sagemaker/TrainingJobs:log-stream:*" } As you can see, we would like mlops1 to be able to access only the "/aws/sagemaker/TrainingJobs" log group. However, the user receives the following error message (again, Account ID has been redacted): Error: User: arn:aws:iam::<account_id>:user/mlops1 is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:us-east-1:<account_id>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action This error message is not true since the policy contains "logs:Describe*". We found that when we open up to all resources (i.e. *), then mlops1 can access the desired logs in CloudWatch. However, this user can also access any other logs, which is not what we want. How can we limit the user's access to just the "/aws/sagemaker/TrainingJobs" log group? Is there some additional syntax required? Thank you in advance for your help!

Hello, i have recently used `console.dir` in our nodejs lambda. I was quite surprised to see that output in CW is different than those of `console.log`. When i run the same test in nodejs REPL the result is the same. Lambda test code ``` const data = {traceId:'de719dc830dd30b74983f14e861ebxxx',parentId:'ae0efdedc04c4xxx',name:'getAllBusinessObjectEventsSpan',id:'85263fd6abb5bxxx',kind:0,timestamp:655413722127740,duration: 4140227,attributes: {},status: { code: 0 },events:[],links: []}; console.log(data); console.dir(data, { depth: 3}); ``` Result in CW: * `console.log` - there is prefix with timestamp, correlation id and log level (2022-06-29T06:46:05.747Z 9e516xxx-axxx-4xxx-8xxx-xxxxxxxxxxxx INFO) and whole json is written as a single log record (this is expected) * `console.dir` - no prefix is present and each property in json is printed in its own log record (even opening and closing parenthesis) I thought behaviour should be identical as nodejs REPL yields same results and. Is logging by console.dir not supported in lambdas? Thanks a lot for any ideas

Hi, I use CloudWatch to monitor the stats of a simple EC2 instance and an RDS instance. About two hours ago I have a whole in the graph for the RDS instance. There is no CPUCreditBalance no CPUUtilization and no CPUCreditUsage for 14 minutes. During this time the service was working and I've had no down time. After that time I have stats for CPUUtilization but CPUCreditBalance and CPUCreditUsage are still missing from the graph.

Hello, Is there any way to forward AWS CCP Streams logs to cloudwatch. Currently we can only get logs from client's machine. They have to download and send them to us. We want to forward logs from client side to cloudwatch so we dont need client downloaded logs. Thank you.

Hello, We are using CloudWatch Log Insights. Currently we considered an issue, that CloudWatch log insights never found the logs from the first lambda invocation. I was able to reproduce it in several lambda functions and on two different AWS accounts. Can someone try to reproduce the issue? Just create a lambda function from scratch. (NodeJS). The lambda function handler only needs one logging statement "console.log(event)". The Log Insights Query can be the default one: `fields @timestamp, @message | sort @timestamp desc | limit 20` The first invocation will not be found. (of course i checked the time period which was selected in CloudWatch log insights). if I trigger the lambda function again, the logs from the second invocation will be found. Can someone check if you can reproduce this issue? Kind Regards Stefan

Hello all - First post here and fairly new to AWS (been a developer for 20+ yrs). I recently deployed a simple .NET app in EBS. I even managed to use CodePipeline for CICD deployments. Works nice. My "next step" which is mostly experimental for learning, is to enable some basic traffic monitoring. 200x, 400x, 500x requests and so on. I went into CloudWatch and experimented with some dashboards but despite my best tinkering, I'm not getting any metrics. FWIW - I have in fact enabled Advanced Health Reporting on the EBS Environment for the app. Thanks in advance!

Is it possible to deterministically generate a URL for CloudWatch Log Insights given the log group, start time, and query (text area that allows fields, sorts, filters, etc...)? The URL is extremely long and does not have standard URL encoding from what I can tell. There are plenty of suggestions in the below Stack Overflow post about the topic but I was curious if there was a more official guide to doing this? https://stackoverflow.com/questions/60796991/is-there-a-way-to-generate-the-aws-console-urls-for-cloudwatch-log-group-filters

I have 9 ecs service running at my end and we are getting logs for 8 services in cloudwatch ....the 1 service which is causing the issue have same log driver configuration likewise all i.e. awslogs but still it's not getting the logs. Sometime back I was getting logs in perfect way but now the logs aren't updating (We get the container starting logs but when container gets started afterwards the logs aren't updating). I have checked the below methods to sort out this issue but still stuck with it. Possible Reasons: Amazon ECS container logs aren't delivered to CloudWatch Logs due to one or more of the following reasons:  The awslogs log driver is not configured correctly in your Amazon ECS task definitions.  The AWS Identity and Access Management (IAM) role doesn't have the required permissions.  There are issues with your networking configuration.  The log level for the container is not configured correctly. All these things I have checked thoroughly. All other microservices have same configuration and they are working perfectly fine. Do let me know for any possible solutions. Using ECS Cluster with EC2-type and also the log configuration shows the awslogs in the task definitions as well. Regards, Gaurav Singh

How can I exclude "select" queries from auditing in an Aurora Mysql cluster? I want Cloudwatch to not save these queries to the log pool.

I got a error "Resource handler returned message: "Invalid Logging Configuration: The CloudWatch Logs Resource Policy size was exceeded. We suggest prefixing your CloudWatch log group name with /aws/vendedlogs/states/. (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidLoggingConfiguration; Request ID: XXX; Proxy: null)" (RequestToken: YYY, HandlerErrorCode: InvalidRequest)" Which was solved with suggested prefixing. I found some informations about vended logs here: https://aws.amazon.com/cloudwatch/pricing/ It looks like only difference between vended logs and classic cloudwatch logs is price, and exception in violating Resource Policy size limit. Is there any other difference? To my understanding all what I need to do is to use prefix vendedlogs, in log group name of e.g. stepfunction (/aws/stepfunction/ -> /aws/vendedlogs/stepfunction/) Are my assumptions correct? Thanks

Hello, I'm trying to create log streams for slow logs and engine logs for elastic cache redis. Redis returns this error : "Failed to grant access to log group <logGroup>. Check the length of the resource policy document". I have tried to add a resource policy in order to enable cloudwatch logs access but it doesn't work. Do you have any Idea ? Thanks a lot for your support

How can I check the amount of logs generated by the Lambda function? I need to find the functions that are generating logs more than or equal to 500 MB.

I followed the documentation for setting up CloudWatch logging on a linux fleet and used an existing script from the docs, and even sshd in and tested it all out and it works when manually inputting each command. But no matter what I do it fails to find the install.sh and fails to initialize the fleet so I can't even debug it anymore. I'm using a ue4 linux server build if that matters. A little surprised the only other reference I've found is 5 years old where the problem never seemed to be resolved.

Hi everyone, Help is very appreciated! I'm managing a code pipeline with CDK and when I deploy it to a custom VPC with an internet gateway (public subnet) I fail to see any logs in CodeBuild. Here is my CDK Code: ``` const pipeline = new CodePipeline(this, id, { pipelineName: `Hubs-CDK-Pipeline-${id}`, selfMutation: false, synth: new ShellStep('Synth', { input: CodePipelineSource.gitHub( 'stafflink-pty-ltd/sauron', id === Environment.STAGING ? 'aws' : 'main', { authentication: SecretValue.secretsManager('manavs-github-token', { jsonField: 'token' }) } ), primaryOutputDirectory: 'cdk/cdk.out', commands: [ `node -v`, `sudo npm i -g n --force`, `n lts`, `n prune`, `node -v`, `npm i -g yarn`, `yarn`, `yarn rw setup deploy serverless`, `rm -f .env`, `sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64`, `sudo chmod a+x /usr/local/bin/yq`, `yq eval-all -i '.provider.vpc.securityGroupIds |= ["${lambdaSG.securityGroupId}"]' api/replace.yml`, `yq eval-all -i '.provider.vpc.subnetIds |= ["${vpc.isolatedSubnets[0].subnetId}", "${vpc.isolatedSubnets[1].subnetId}","${vpc.isolatedSubnets[2].subnetId}"]' api/replace.yml`, `yq eval-all -i '.provider.iam.role.statements |= [{"Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": ["${bucket.bucketArn}"]}]' api/replace.yml`, `yq eval-all -i '. as $item ireduce ({}; . * $item)' api/serverless.yml api/replace.yml`, `yq eval-all -i '. as $item ireduce ({}; . * $item)' web/serverless.yml web/replace.yml`, `cat api/serverless.yml`, `npm run ci:build`, `npm run ci:migrate`, `yarn rw deploy aws`, `cd cdk`, `npm i`, `npm i -g aws-cdk`, `cdk synth`, `cd ..` ] }), codeBuildDefaults: { vpc, subnetSelection: { subnetType: SubnetType.PUBLIC }, securityGroups: [codePipeSG], rolePolicy: [ new iam.PolicyStatement({ effect: Effect.ALLOW || undefined, actions: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ], resources: ['*'] }), new iam.PolicyStatement({ effect: Effect.ALLOW || undefined, actions: [ 's3:Abort*', 's3:DeleteObject*', 's3:GetBucket*', 's3:GetObject*', 's3:List*', 's3:PutObject', 's3:PutObjectLegalHold', 's3:PutObjectRetention', 's3:PutObjectTagging', 's3:PutObjectVersionTagging' ], resources: ['*'] }) ], buildEnvironment: { computeType: ComputeType.LARGE, buildImage: LinuxBuildImage.STANDARD_5_0, ``` Here is my security group: ``` const codePipeSG = new SecurityGroup(this, 'code-pipeline-security-group', { vpc, allowAllOutbound: true, securityGroupName: `hubs-codepipe-${id}` }) ``` Here is my VPC: ``` const vpc = new Vpc(this, 'VPC', { cidr: id === Environment.PROD ? '10.1.0.0/16' : '10.0.0.0/16', natGateways: 0, maxAzs: 3, subnetConfiguration: [ { name: `public-${id}-1`, subnetType: SubnetType.PUBLIC, cidrMask: 24 }, { name: `isolated-${id}-1`, subnetType: SubnetType.PRIVATE_ISOLATED, cidrMask: 28 } ], vpcName: `hubs${id}` }) ```

hi, I need help with understanding Firehose integration with CW log streams for Splunk logging. I already looked at AWS documentation. I can see that CWToSplunk subscription filter with the Firehose delivery stream already setup in our dev account for the log group but the log streams are not reaching Splunk. Just wanted to understand what config is possibly missing?!! This CW-Firehose-Splunk setup is supposed to be working for previous Lambdas. I created a new java based Lambda and when it is invoked, I am able to see that application log written by Log back is reaching to the CouldWatch log group, but never showed up in Splunk. I also verified that existing CWToSplunk delivery stream has Splunk as the correct destination and tranformation Lambda is enabled. What would be different for a new lambda if previous Lambda in the same account with the same setup is already working with firehose integration and is reaching splunk?? Thanks.

i've a lambda function and i want to have a cloudwatch logs table with errors and warnings columns.Actually I was able with this query to get an error / warnings report per day: ``` parse "[E*]" as @error | parse "[W*]" as @warning | filter ispresent(@warning) or ispresent(@error) | stats count(@error) as error, count(@warning) as warning by bin(15m) ``` Here are two example messages of the lambda: WARNING: ``` Field Value @ingestionTime 1653987507053 @log XXXXXXX:/aws/lambda/lambda-name @logStream 2022/05/31/[$LATEST]059106a15343448486b43f8b1168ec64 @message 2022-05-31T08:58:18.293Z b1266ad9-95aa-4c4e-9416-e86409f6455e WARN error catched and errorHandler configured, handling the error: Error: Error while executing handler: TypeError: Cannot read property 'replace' of undefined @requestId b1266ad9-95aa-4c4e-9416-e86409f6455e @timestamp 1653987498296 ``` ERROR: ``` Field Value @ingestionTime 1653917638480 @log XXXXXXXX:/aws/lambda/lambda-name @logStream 2022/05/30/[$LATEST]bf8ba722ecd442dbafeaeeb3e7251024 @message 2022-05-30T13:33:57.406Z 8b5ec77c-fb30-4eb3-bd38-04a10abae403 ERROR Invoke Error {"errorType":"Error","errorMessage":"Error while executing configured error handler: Error: No body found in handler event","stack":["Error: Error while executing configured error handler: Error: No body found in handler event"," at Runtime.<anonymous> (/var/task/index.js:3180:15)"]} @requestId 8b5ec77c-fb30-4eb3-bd38-04a10abae403 @timestamp 1653917637407 errorMessage Error while executing configured error handler: Error: No body found in handler event errorType Error stack.0 Error: Error while executing configured error handler: Error: No body found in handler event stack.1 at Runtime.<anonymous> (/var/task/index.js:3180:15) ``` Can you help me understand how to set up the query in order to have a table with the following columns and their values: from @message extract timestamp, requestID, type (WARN or ERROR), errorMessage and if feasible also the name of the lambda from @log and the @logStream. Can you help me understand how such a query is produced?

Hello, On 25.05 and today on 30.05 we got alarms that instance is down/unresponsive. Instance id is i-084bee8dfe7252dd5. We are using promethues for alarms and monitoring and I checked also cloudwatch for that instance. I didn't find anything in the logs, everything seems in order. Once we get alarm, I can ping instance but I can't access it no matter what I try. I have to shutdown instance and start it again using console to get it working. Can you check on your end? Any suggestions? Best regards

I'm trying to develop custom remediations using SSM documents. In some cases, when it goes wrong I can check it in the System Manager -> Automation console and see what's wrong with the code. But there are some situations where I cannot see anything, and I'm currently stuck in fixing this. So basically I can only see this error: "Action execution failed" | [screenshot_anonymized.png](https://github.zendesk.com/attachments/token/qY5xjaWKaoJdbnB6m3Z4ErWp6/?name=170682139-886a03bc-3460-47b1-98e9-db95e44be813_anonymized.png) Then when I look for it I can't find anything on the issue anywhere (System Manager, Cloudwatch, Config, etc...) Does anyone know what this issue is? And/or a neat little trick to debug this?

Hi, we are using X-Ray for application logs tracing but X-Ray is not able to show case all the logs and after some times it drops off the tracing. Is it some limitations with X-Ray or how we can enables X-Ray for the complete logs tracing.

Hello. I have some questions about cloudwatch usage and pricing. 1. Do custom metrics refer when I use cloudwatch agent or scripting? 2. By default many metrics are available for use, I understand with data ingested but this does not generate charges, right? 3. Are metrics charged only when I add metrics to alarms?, or per example if I install cloudwatch agent, the metrics that appear are charged as available in that moment, or only if I use within an alarm? 4. If I have multiple alarms with different thresholds for the same metric and instance. Per example; I need to monitor an EC2 CPU, so I create 03 alarms: warning (93%), critical (95%), fatal (98%). The cpu metric is charged 03 times or only one? 5. How can I create one alarm with multiple metric for a server, or one metric for multiple servers? 6. If I have one metric in one alarm, the cost is for one metric and one alarm, or only for one of them? Thank you.

Hi everyone, new to CloudWatch log insights. Trying to make sense out of this. ``` responseStatus.code: 200 responseStatus.message: Connection closed early response Status.status: Success ``` How is it possible for the connection to be successful and the connection to be closed early? When googling this issue, nothing came up. Side question: is there a way to query for Ports and/or Protocol? I have an alert from Guard Duty that I have been bending over backwards to find out in the logs but none of the logs from that time period in CloudWatch mentions any Port or Protocol, both of which was the cause of the alert. Does anybody know where I can get more info besides using Detective? Thank you.

Morning all, moving from Nagios to Cloudwatch and have a few test cases, but I am sure once I know how I can do it all, so for this one, I have a server farm of 7 servers. They write a JSON log file every minute, and the basic output I look for today is either a status_ok, status_warning or status_critical. I have my dev server setup, logs going into cloudwatch group and into the dev stream. I setup a filter to look for that status_ok, if it doesn't see it in 5 minutes, alert and that worked perfect. The problem is I put up my next server, same log group, different stream [server-1] for example. The alert fired and of course said dev as I didn't realize the mettric filter is on the group not the stream. So, basically I want the team to know if server-2 has an issue, let them get the alert that server is the one that didn't have the check. So, what is the best way to search, filter and alert based on the stream and not whole group? Thanks!

Hi all, accroding to this official documentation, RDS audit log has the following comma-delimited information https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html ``` timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode ``` i've noticed some logs are writing "READ" in place of operation and "proc" in place of object for example, a log might say "some timestamp, prod1, user1, xx.xxx.xxx.xxx, 23, 12, read, mysql, proc, 0 how would you interpret this particular log? and what does it tell me? i've read the official doc but the explanation is a bit vague appreciate your help thanks,

Good day! **My main purpose:** Easy way to collect information about different failure scenarios in SageMaker TrainingJob. **What do I use currently?** Sagemaker SKLearn Estimator(TrainingJobs are inside) **Where will my model train?** Different datasets. So, I need control and collect all information about all training processes and their final statuses on different datasets. **Which failure scenarios do I have?** There are plenty of them. I have create my own python Errors for them. For example: 1. There are labels only for one class. 2. Too small dataset(by my own criterions) 3. Missing data for crucial columns 4. e.t.c. **Where am I stuck?** After failed training I can't get own errors from training job response. All of them are "ExecuteUserScriptError" I can't pass my own info in FailureReason or ErrorMessage(always it's empty). I see which error was raised in CloudWatchLogs and TrainingJobTraceback(from SagemakerNotebook). So, bad solution is parse all CloudWatchLogs in case of failure. **Question: How to provide my own ErrorMessage or FailureReason? ** May be I am digging in the wrong direction. Anyway, I need your advice. Thank you so much for possibility to ask an advice here)

I have generated a timestream database and table, but am struggling to write data to the table. The data comes from an mqtt topic, and can be seen in the cloudwatch log, so I know my select statement is sound. I think i have given the IAM role the correct permissions. This answer [https://repost.aws/questions/QUmWAjLqG7RwGHCSL2tMrXvw/iot-core-rules-to-map-timestamp-to-timestream#COMoUviJP_TGCAgZvcltBQUw](by @Greg_b) describes how to enter the 'timestamp value' but does not say what is needed in the 'timestamp unit' field. I am a complete newcomer to AWS so apologies if my question is not worded correctly. I would really appreciate some help with this! One further question, why, after i have deactiveted a rule, does it still appear in the cloudwatch logs?

Hi, I would like to know easy way to start from the first line of log for the code-build execution (either in code-build console or cloudwatch-log console) My case, I had run the code-build, there are loads of logs (probably 100 of clicks on show previous logs, might take me to the first line of log, alternative clicking on view entire log, takes me to cloudwatch log, still no good way to go the first line of log for this loggroup (code-build execution) Thanks Ajay Kasam

Hi, do you know when might Cross-account cross-Region CloudWatch metrics and alarms creation be available with cloudformation? https://aws.amazon.com/about-aws/whats-new/2021/08/announcing-amazon-cloudwatch-cross-account-alarms/

Scenario: * Using ECS Fargate to launch Tasks from a Task Definition ( the container is a Python Django container, running a management command if this matters) * Problem: Logs were empty in Cloudwatch for the task run (completely - no data at all, but the log groups and stream were created). * When running the container locally, stdout outputted the expected data After much research and trial and error, I found that using a ENTRYPOINT command with a shell script is the problem. If I were to switch this to run the container with just the raw cli command as the ENTRYPOINT, the logs show in CW as expected. What is the reasoning/problem for this, and is there a different/better way to find out what was going on here besides trial and error? This Doesn't Work (in docker) ``` ENTRYPOINT [ "/app/docker-entrypoint.sh" ] CMD ["run_management_command"] ``` ``` # docker-entrypoint.sh # code shortened for a little brevity, may have syntax errors shift exec python manage.py "$@" ``` This Works ( in docker) ``` CMD ["python", "manage.py", "run_management_command"] ``` Does the shell script / exec cause the AWS std out logger to become disassociated somehow?

We have a bunch of CloudWatch alarms based on the metric values exceeding thresholds. We can associate extra properties with metrics to store additional identifiers (for example failed Herd workflow ids) inside the metrics via, for example @Prop annotations. But when CloudWatch processes alarm actions and automatically creates tickets, it includes only high level alarm details into the ticket description and no information about metric details. Thus, even if I associate additional ids with metrics, CloudWatch is not able to post these ids into the ticket. Is there a way to extract metric details and add into autocut tickets?

I have a simple resolver that has a simple Lambda function as a data source. This function always throws an error (to test out logging). The resolver has request mapping template enabled and it is configured as follows: ``` $util.error("request mapping error 1") ``` The API has logging configured to be as verbose as possible yet I cannot see this `request mapping error 1` from my CloudWatch logs in `RequestMapping` log type: ``` { "logType": "RequestMapping", "path": [ "singlePost" ], "fieldName": "singlePost", "resolverArn": "xxx", "requestId": "bab942c6-9ae7-4771-ba45-7911afd262ac", "context": { "arguments": { "id": "123" }, "stash": {}, "outErrors": [] }, "fieldInError": false, "errors": [], "parentType": "Query", "graphQLAPIId": "xxx" } ``` The error is not completely lost because I can see this error in the query response: ``` { "data": { "singlePost": null }, "errors": [ { "path": [ "singlePost" ], "data": null, "errorType": null, "errorInfo": null, "locations": [ { "line": 2, "column": 3, "sourceName": null } ], "message": "request mapping error 1" } ] } ``` When I add `$util.appendError("append request mapping error 1")` to the request mapping template so it looks like this: ``` $util.appendError("append request mapping error 1") $util.error("request mapping error 1") ``` Then the appended error appears in the `RequestMapping` log type but the `errors` array is still empty: ``` { "logType": "RequestMapping", "path": [ "singlePost" ], "fieldName": "singlePost", "resolverArn": "xxx", "requestId": "f8eecff9-b211-44b7-8753-6cc6e269c938", "context": { "arguments": { "id": "123" }, "stash": {}, "outErrors": [ { "message": "append request mapping error 1" } ] }, "fieldInError": false, "errors": [], "parentType": "Query", "graphQLAPIId": "xxx" } ``` When I do the same thing with response mapping template then everything works as expected (errors array contains `$util.error(message)` and outErrors array contains `$util.appendError(message)` messages. 1. Is this working as expected so the `$util.error(message)` will never show up in CloudWatch logs? 2. Under what conditions will `errors` array in `RequestMapping` log type be populated? 3. Bonus question: can the `errors` array contain more than 1 item for either `RequestMapping` or `ResponseMapping` log types?

EIP was allocated, but someone releases and application failed. now I'm looking for a way to track and leave logs. Is there any idea about it?

I got error: "ec2tagger: Unable to describe ec2 tags for initial retrieval: AuthFailure: AWS was not able to validate the provided access credentials" in cloudwatch log agent on an ec2 instance that has: 1. CloudWatchAgentServerRole -- this is default AWS managed role attached to the instance, this default role already allow ""ec2:DescribeTags"," in its policy. <---- NOTE this 2. Its NACL allowed all outbound and allowed all vpc's CIDR network range inbound 3. Cloudwatch log agent config file's region is correct 4. telnet ec2.us-east-2.amazonaws.com 443 or telnet monitoring.us-east-2.amazonaws.com 443 or telnet logs.us-east-2.amazonaws.com 443 under the ec2 instance all return successful connection (Connected <..> Escape character is '^]') I also create three vpc endpoints: logs (com.amazonaws.us-east-2.logs), monitoring (com.amazonaws.us-east-2.monitoring), ec2 (com.amazonaws.us-east-2.ec2) interface endpoints. They have SG that allowed all VPC's CIDR network range inbound. The idea is to expose metrics to cloudwatch via vpc endpoints. Despite all above setup, I can't make cloudwatch agent to work and it keeps echo above error complain about credentials is not valid even though the REGION in config file is correct and traffic between instance and cloudwatch is allowed.

Hello I have created a user and I want to give him the permission to access only a specific group of cloudwatch logs. For this, I have assigned the following strategy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:<aws-region>:<accountId>:log-group:/ecs/copro*" } ] } ``` When the user tries to access cloudwatch this is the error message he gets : `User: arn:aws:iam::<accountId>:user/poreck is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:<aws-region>:<accountId>:log-group::log-stream: because no identity-based policy allows the logs:DescribeLogGroups action` I understand that the action **logs:DescribeLogGroups** is not applicable to a specific resource. Because if in the strategy I replace the value of the **Resource **field with "*", the user has access to all the log groups and I don't want that. My question is to know if there is a way to bypass this blocking by modifying the strategy. Or if there is a simple external solution that consists in retrieving these specific log groups. Thanks for any help Sincerely

I'm trying to send text notifications using AWS SNS I got the delivery status as. { "notification": { "messageId": "32630609-2480-5957-8026-5cdfc67f8303", "timestamp": "2022-04-18 03:53:35.1" }, "delivery": { "mnc": 94, "numberOfMessageParts": 3, "destination": "+919003988061", "priceInUSD": 0.1239, "smsType": "Transactional", "mcc": 404, "providerResponse": "Message has been accepted by phone", "dwellTimeMs": 47, "dwellTimeMsUntilDeviceAck": 11411 }, "status": "SUCCESS" } The notification was never delivered to the phonenumber. Fun Fact: The message gets delivered at random timings. No idea what's going on.

**Context:** We've got a number of load balanced web servers running on Windows OS in AWS using C# .NET (5). We have a web server application as well as a Windows Service running on the same machine and we have problems with logging from the Windows Service. **Problem Description**: Since we have many servers running load balanced, we name the log stream with the private IP number in order to distinguish which machine that potentially has problems. This private IP is extracted at startup of the application (for both the Windows Service and the Web Server.) This is usually sucessfull, but yesterday we had an incident when one Windows Service log stream was labeled with 127.0.0.1 instead of the local IP number. Eventually I was able to pinpoint which server it was, restarted the windows service, which made the private IP number appear instead in the new log stream name. **?: Suggested reason with possible solution:** I'm guessing this is a race condition error. The machine has not received it's private IP number yet by AWS network before our service asked for it. **If so we can wait for the real IP to appear just to make sure we get the right IP number in our log. ** I have three question related to this: **Questions:** 1. **Do you see any other reason than the one I suggested why the IP number 127.0.0.1 appears? ** 2. ** Is there a better solution available than the one I suggested?** 3. **Is there a way, using an AWS API of some sort to get hold of the public IP for the server?** Here's the code how we extract the private IP address in this context: ``` var hostName = System.Net.Dns.GetHostName(); var ipAddresses = System.Net.Dns.GetHostAddresses(hostName); var ipv4Address = ipAddresses.FirstOrDefault(ip => ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork); ```

I am looking for the solution of exporting Cloudwatch logs to S3 continuously where there is log updates from application. I am looking for a automated log export from cloudwatch to S3.

If there is actual documentation on this, my apologies as I've hunted several hours for the solution. As an Oracle DBA, I need to monitor certain log files for certain strings. For the listener log, one type of message contains "service_update * <db_name> * STATUS * [0 or non-zero]." I can parse everything up to the asterisk but even with double-quote delimiters, I cannot figure out how to include the end of that string. Specifically, I need to alert whenever a non-zero status is thrown. Similarly, for the alert log I need to flag messages containing "ORA-" error messages except for 'ORA-1". Thanks in advance for your aid. .

I have created a Cloudwatch Metric Filter for response latency We have regions in us-west-2 and us-east-2 and I have put separate Metric filters in each region's different Cloudwatch Log groups. I want to be able to query and add all response latencies between *both* regions so I can calculate aggregate values like Averages. How can I do this? Log Insights can't see different region Log Groups so I can't directly use this. I heard Metric Math may be able to. Is there a way?

Hello. I run my instance using **launching configuration** and **autoscaling group**. On the details tab I see: **Health check grace period = 300**. Also, I have a **load balancer** with **target group**. I set up health checks in the target group: **timeout - 5** seconds and **interval - 10** seconds. So, I should get one health check request for every 10 seconds. When I visit a cloudwatch log events, I see, that health checks requests sends too frequently, even I filter it by IP's: ```2022-04-04T15:08:24.043+03:00 2022-04-04T15:08:27.012+03:00 2022-04-04T15:08:31.690+03:00 2022-04-04T15:08:33.899+03:00 2022-04-04T15:08:34.061+03:00 2022-04-04T15:08:43.366+03:00 2022-04-04T15:08:43.898+03:00 2022-04-04T15:08:44.063+03:00 2022-04-04T15:08:45.473+03:00 2022-04-04T15:08:47.303+03:00 2022-04-04T15:08:49.343+03:00 2022-04-04T15:08:53.915+03:00 2022-04-04T15:08:54.067+03:00 2022-04-04T15:08:57.148+03:00 2022-04-04T15:09:02.237+03:00 2022-04-04T15:09:03.913+03:00 2022-04-04T15:09:04.067+03:00 2022-04-04T15:09:13.789+03:00 2022-04-04T15:09:13.920+03:00 2022-04-04T15:09:14.076+03:00 2022-04-04T15:09:15.833+03:00 2022-04-04T15:09:17.460+03:00 2022-04-04T15:09:19.721+03:00 ``` Sometimes I can see 2 health checks in one second. Why? what can I do to fix it?

We are using the Jenkins Pipeline Plugin for Cloudwatch logs on a Jenkins instance. It simultaneously uploads and downloads the console logs for our jobs. Initially the console logs loaded pretty much instantaneously however as we have added more instances to our account this duration has increased dramatically taking up to 30 seconds in some instances. Intermittently we receive the following com.amazonaws.services.logs.model.AWSLogsException: Rate exceeded Researching on the web and it appears we're exceeding our CloudWatch API limits. Would anyone be able to tell me where I can view these limits within our account and how to request to have them increased? Any help would be greatly appreciated. Thanks, Mark.

Hi, I find results in log insights using the following query: `fields @timestamp, @message | filter log like "GET /espace-client/selfcare" | sort @timestamp desc | limit 20` The results I find are like: `172.17.82.30 - - [29/Mar/2022:17:08:54 +0200] "GET /espace-client/selfcare/contract/<redacted> HTTP/1.1" 200 4891 "<redacted referrer>" "Mozilla/5.0 (Linux; Android 11; SM-A515F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36"` The pattern I use in my metric is: `[remote_addr, user, remote_user, timestamp, location="GET /espace-client/selfcare/contract/*", response_code=2*, body_bytes_sent, referrer, user_agent]` When I use the Test pattern feature in the metric filter creation, the above log line is matched correctly yet, when I try to create a line graph widget (metric value = 1 and default value = 0, no use of dimensions). The graph is definitely flat on a value of zero. I can tell that I have hundreds of match in log insights during one hour though. I looked for previous questions but to no avail. What is wrong with what I am doing? Thank you for your help.

Hi, I started using RDS under AWS Free tier. As per documentation, I was expecting 750 hours of RDS single instance availability without any charge. Below are the details of the charge from billing. I had a basic test table with <100 rows of data. Is there some config change that I need to avoid this charge. RDS $0.115 per GB-month of provisioned gp2 storage running MySQL4.684 GB-Mo$0.54 $0.115 per RDS GB-month of provisioned GP2 storage3.006 GB-Mo$0.35 Similarly for Cloudwatch I am getting charges without specifically activating any alarm. Below is an alarm for my cloudwatch. My provisioned capacity range from 1-10 read / write per second. So not clear how is the below alarm applicable and why is there a charge for this alarm? Do I need to make some changes to DynamoDB & CloudWatch config? In alarm 2022-03-26 22:44:22 ConsumedWriteCapacityUnits < 30 for 15 datapoints within 15 minutes Regards, DBeings

A customer wants to get various flavors of logs from ECS on EC2, ECS on Fargate, API GW logs, load balancer logs, (and potentially RDS Aurora) to Splunk endpoint Following have already been referenced to the customer Splunk white paper: https://www.splunk.com/pdfs/white-papers/getting-data-into-gdi-splunk-from-aws.pdf  And a couple of these blog posts https://www.splunk.com/en_us/blog/it/splunking-aws-ecs-part-2-sending-ecs-logs-to-splunk.html https://www.splunk.com/en_us/blog/it/splunking-aws-ecs-and-fargate-part-3-sending-fargate-logs-to-splunk.html 
 The challenge is which approach to use as we they ECS Fargate and ECS on EC2 along with other AWS services for which they want to centralize their logs. Currently they are considering separate lambda functions for ECS, lambda for LBs etc. to pull logs from cloudwatch and push them to Splunk endpoint. Trying to seek suggestions on what could be the best practices.

Alarms and dashboards can be created in one monitoring account based on metrics from one or more source accounts using CloudWatch's [cross account cross region ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html) capability. Can metric filters be created in a similar way - deployed to the monitoring account but based on source accounts? I assume not given AWS::Logs::MetricFilter has property "LogGroupName" rather than ARN, but hope to be wrong. This would be great for use cases where alarms are centralised but there's no requirement for, or even security or governance constraints against centralising logs.

Hi, I would like to request that %a is added to the log_line_prefix default in the amazon aurora parameter group setting. The current default is: "%t:%r:%u@%d:[%p]:t". We need this is order to help identify easily where our connection is orginating from. This is to enable better log filtering and metrics via CloudWatch logs for a given application. Regards Mat

TL;DR; ---- How to change the color of Log-Insights Visualization? What is desired ------ Consider the following log insight query: ``` stats count(*) AS CHECKOUTS group by status ``` It will provide the logs counted by groups of status. When going to the tab of visualization I can view, for example, a Pie chart with the log information. For instance: [![Dashboard][1]][1] This chart can be added to a dashboard, just like the metrics, but selecting the color for display is very important, for instance if I have a status "FAILED" I'd like it to show red, whilst if I have a status "SUCCEDED" I'd like to render in green. How can this be achieved? [1]: https://i.stack.imgur.com/mtwBV.png

I am testing out the Unity Fargate serverless solution at github link https://github.com/aws-samples/fargate-game-servers . After going through all the steps - my client is not able to connect with the ECS Fargate tasks because the latter are not starting (not getting into RUNNING state). They get as far as PROVISIONING but then sputter - giving the CannotPullContainerError error. On top of that, I am a noob and cannot figure out where to find the complete error log entry, because it gets cut out. Nor do the cloudwatch logs show me the error. So I'm at a loss of how to troubleshoot. Image attached in problem description video https://youtu.be/AKkPpEOQDGA

Hi, we are experiencing a strange behavior in our pipeline flow. Step from source pulling e image building are correctly marked as succeeded in pipeline but the procedure fall in a "in progress" state for the deploy step. Anyway, when I check ECR panel, I can see the image correctly deployed to cluster. Nothing was changed in the last days about the pipeline setting up, just as usual new commits. Logs are clean and nothing can point me to resolve this issue. Is there something that I can check further to fix this situation? Thanks!

I am trying to create a bot in lex v2 console using c# .net function. All are done, in the integration part we have the following error in lex v2 chat window. we are using custom models for Request and Response. Is there any AWS DLL for this? like **LexEvent** & **LexResponse** in lex v1 **Invalid Lambda Response: Received invalid response from Lambda: Can not construct instance of IntentResponse, problem: The validated object is null at [Source: {"Jsonvalue"}; line: 1, column: 561]** Response we trying to return is, { "SessionId":"125512899102434", "SessionState": { "ActiveContexts":[], "SessionAttributes":{}, "DialogAction": { "SlotToElicit":"Patientid", "Type":"ElicitSlot" }, "Intent": { "ConfirmationState":"None", "Name":"ScheduleAppointment", "Slots": { "MobileNumber":null, "Department":null, "FirstName":null, "Patientid":null, "Time":null, "LastName":null, "Gender":null, "Doctor":null, "UserType":null, "Date":null, "Age":null, "Location":null }, "State":"InProgress" } }, "Messages": [ { "ContentType":"PlainText", "Content":"Please provide your Patient ID" } ] } Please help us to resolve this issue and move forward. thanks, Mohan

In older version of AWS Cloudwatch agent, there was a parameter for initial_position. But I am not able to find it in the new Cloudwatch agent. Older version of CloudWatch ``` initial_position = start_of_file ``` But I am not able to find the same anywhere in the new documentation. Please help in pointing to the parameter for this. ``` collect_list :[{ "file_path": "/var/log/nginx/access.log", "log_group_name": "GroupName", "log_stream_name": "nginxAccessLogStream", "timezone": "UTC" }] ``` Edit: Found Logs Input Plugin. Field: from_beginning https://github.com/aws/amazon-cloudwatch-agent/tree/f870550f94a822f3eceaea0ecb2efdeabe961e5c/plugins/inputs/logfile But adding it is not running the plugin.

I need to monitor the CloudFront real time logs in cloud watch. Is there any way to stream CloudFront real time logs to the cloudwatch? I know how to stream CloudFront standard(access)logs to cloudwatch(But it won't stream live logs and there will be a huge delay between live log time and log streaming time. so I won't prefer it) and how to stream real time logs to AWS OpenSearch through kinesis firehouse. But in our project, we stream all service logs to the cloudwatch. So it would be better if any way to stream CloudFront logs to the cloudwatch. Is there any possibility to do as my request?

Hey! I'm trying to set up a new API Gateway through Terraform, and I'm having some trouble setting up the IAM policy for the cloudwatch logs role. I've created the log group, and set retention to 1 day, but I'm unable to create a policy that'll be accepted by the AWS console. My current (anonymised) effort looks like this: ``` { "Statement": [ { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": "*", "Sid": "LogGroups" }, { "Action": [ "logs:PutLogEvents", "logs:GetLogEvents", "logs:DescribeLogStreams", "logs:CreateLogStream" ], "Effect": "Allow", "Resource": "arn:aws:logs:eu-west-1:123456789:log-group:API-Gateway-Execution-Logs_alphanum/stage:log-stream:*", "Sid": "LogStreams" } ], "Version": "2012-10-17" } ``` When I try to set the cloudwatch log arn in the console, I get an error ` The role ARN does not have required permissions configured. Please grant trust permission for API Gateway and add the required role policy. `. If I try to edit the policy in the visual editor, it doesn't seem to like the format of the resources, but I've checked those repeatedly against the docs. The trust relationship is straightfoward ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` Any ideas?

So am receiving data via IOT core. Applying a rule to route the data to S3. You can see the it "last modified" update but when I look for entries it is empty? CloudWatch is giving me the following: {"timestamp":"2022-02-07 02:04:46.802","logLevel":"INFO",].....","status":"Success","eventType":"RuleExecution","clientId":"MKR1010","topicName":"MKR1010/pub","ruleName":"mkr1010tos3","ruleAction":"S3Action","resources":{"Bucket":"mkr1010s3","Key":"mkr1010"},"principalId":"2b035d1e541ac061be9a5498254aff0e21c771b2a96e470a7b2a287fc6f34b59"} Not quite sure why. When I change to rule to send it to a dynamoDB...then the data is being stored as expected. I know that S3 is not the best way to do this but I would like to know what is missing when the CloudWatch logs show successful execution?? Thanks