CloudWatch Logs

• Place to store logs
• Log groups:
  • some name to represent theapplication
• Log stream:
  • instances with application, log files, containers
• Can setup expirations
  • defined in logs group
• Can send logs to
  • S3
  • Kinesis Data Streams
  • Kinesis Data Firehose
  • AWS Lambda
  • ElasticSearch
• We can send the log using
  • SDK, CloudWatch Logs Agent, CloudWatch Unified Agent
  • Elastic Beanstalk
  • ECS
  • AWS Lambda
  • VPC Flow logs
  • API Gateway
  • CloudTrail
  • Route53: log DNS query
• Logs in cloudwatch logs never expired by default

Encryption

• You can encrypt CloudWatch logs with AWS KMS keys.
• Encryption is enabled at log group level by associating a Customer Managed Key
• Note: You cannot associate CMK with a log group using CloudWatch console
  • Must use the CloudWatch Logs API
    • associate-kms-key if the log group already exists
    • create-log-group: if the log group doesn't exist yet

S3 Exports

• Export cloudwatch logs to S3
• Log data can take up to 12 hours
• use CreateExportTask
• Not near-real time or real-time.
  • If you want real time, use CloudWatch Logs Subscription