search

Part 4: Querying AWS Services with CloudWatch Logs

hashtag
Navigating AWS Service Logs

Each AWS service logs differently. Over time, I've learned the quirks and patterns of each service's logs. This part provides production-ready queries for the AWS services I work with most.

hashtag
AWS Lambda Logs

Lambda is perhaps the most common source of CloudWatch logs in modern AWS architectures.

hashtag
Lambda Log Structure

Lambda creates log streams per function invocation and includes automatic logging:

START RequestId: abc-123 Version: $LATEST
2024-01-15T10:30:45.123Z abc-123 INFO User logged in
END RequestId: abc-123
REPORT RequestId: abc-123 Duration: 125.45 ms Billed Duration: 126 ms Memory Size: 512 MB Max Memory Used: 95 MB

hashtag
Finding Errors in Lambda

fields @timestamp, @message
| filter @type = "REPORT" or @message like /ERROR|Error|error/
| filter @message not like /START|END/
| sort @timestamp desc
| limit 50

hashtag
Lambda Cold Start Analysis

hashtag
Lambda Performance Metrics

hashtag
Lambda Timeouts

hashtag
Real Example: Lambda Error Tracking

hashtag
API Gateway Logs

API Gateway logs require explicit enablement but provide invaluable request/response data.

hashtag
Enable API Gateway Logging

First, create a CloudWatch log role ARN in IAM, then enable logs for your API stage.

hashtag
API Gateway Log Format

hashtag
Query API Gateway Access Logs

hashtag
API Gateway Error Rate

hashtag
API Gateway Performance by Endpoint

hashtag
Real Example: API Gateway 4xx vs 5xx Analysis

hashtag
ECS/Fargate Container Logs

ECS container logs capture application output from Docker containers.

hashtag
ECS Log Stream Format

hashtag
Query ECS Container Logs

hashtag
ECS Task Failures

hashtag
ECS Container Resource Issues

hashtag
Real Example: ECS Service Health Check

hashtag
RDS Database Logs

RDS provides multiple log types: error logs, slow query logs, and general logs.

hashtag
RDS Error Log Queries

hashtag
RDS Slow Query Analysis

hashtag
Real Example: RDS Connection Issues

hashtag
VPC Flow Logs

VPC Flow Logs track network traffic for security and troubleshooting.

hashtag
VPC Flow Log Format

Format: version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status

hashtag
Query VPC Flow Logs

hashtag
VPC Traffic Volume by IP

hashtag
Real Example: Security Analysis - Rejected Connections

hashtag
CloudTrail Logs

CloudTrail tracks AWS API calls for security, compliance, and troubleshooting.

hashtag
CloudTrail Event Structure

hashtag
Query CloudTrail for Errors

hashtag
CloudTrail Unauthorized Attempts

hashtag
Real Example: CloudTrail Security Monitoring

hashtag
Application Load Balancer Logs

ALB logs provide detailed HTTP request/response data.

hashtag
ALB Log Format

hashtag
Query ALB Access Logs

hashtag
ALB Performance Analysis

hashtag
Real Example: ALB Error Analysis

hashtag
ElastiCache Logs

ElastiCache (Redis/Memcached) logs engine events and errors.

hashtag
Query ElastiCache Slow Logs

hashtag
ElastiCache Connection Issues

hashtag
CodeBuild Logs

CodeBuild logs contain build output and errors.

hashtag
Query CodeBuild Failures

hashtag
CodeBuild Phase Duration

hashtag
Step Functions Logs

Step Functions logs state machine executions.

hashtag
Query Step Functions Failures

hashtag
Cross-Service Correlation Patterns

hashtag
Pattern: Trace Request Across Services

hashtag
Pattern: API Gateway โ†’ Lambda โ†’ RDS

Query multiple log groups:

  1. API Gateway: /aws/apigateway/my-api

  2. Lambda: /aws/lambda/my-function

  3. RDS: /aws/rds/instance/my-db/slowquery

hashtag
Service-Specific Best Practices

hashtag
Lambda Best Practices

  1. Always include request ID in logs

  2. Use structured logging (JSON)

  3. Monitor cold starts separately

  4. Track memory usage trends

hashtag
API Gateway Best Practices

  1. Enable execution logging (not just access logging)

  2. Include correlation IDs

  3. Monitor 4xx vs 5xx separately

  4. Track latency by endpoint

hashtag
RDS Best Practices

  1. Enable slow query logs (set threshold appropriately)

  2. Monitor connection pool exhaustion

  3. Track long-running queries

  4. Alert on replication lag

hashtag
ECS Best Practices

  1. Use structured logging in containers

  2. Include container ID in logs

  3. Monitor task recycling frequency

  4. Track resource utilization

hashtag
Key Takeaways

  • Each AWS service has unique log formats and structures

  • Lambda logs include automatic START/END/REPORT entries

  • API Gateway requires explicit log enablement

  • VPC Flow Logs use space-delimited format

  • CloudTrail logs all API calls for security auditing

  • ALB logs provide detailed HTTP metrics

  • Use parsing to extract service-specific fields

  • Correlate across services using request/trace IDs

  • Enable appropriate log levels for each service

In Part 5, we'll build comprehensive observability dashboards using CloudWatch, combining these queries into actionable visualizations for real-time monitoring.

PreviousPart 3: Advanced Query Operations and FunctionsNextPart 5: Building Observability Dashboards with CloudWatch

Last updated