Ref: https://learn.cantrill.io/courses/1820301/lectures/41301375 [ASSOCIATESHARED]

• Summary
• Contents:

CWLogs - Overview

• 🔧 Store, monitor & access logging data
  • Log = timestamp + data (YYYY-MM-DD::HH:MM:SS message )
    • e.g. 2025-02-03::13:40:35 "User signed in"
• Public & regional service
  • Accessible from AWS, on-premises, or even other cloud platforms
• Built-in integrations with many AWS services (EC2, VPC Flow Logs, Lambda, CloudTrail…)
  • Security generally provided via IAM roles or service-linked roles
  • Majority of AWS services send basic logging data to CW by default
• Unified CW Agent: Integration SW that allows sending custom logs to CW, from anywhere
  • AWS-external services must install it to send logs to CW
  • Also needed to send custom application logs or OS logs from EC2 instances
  • Alternative to CW Agent: AWS SDK (app code can use it to send logs too)

CWLogs - Architecture

• Logging sources: AWS services, mobile apps, DBs, external APIs, AWS-external compute…
  • Inject Log Events (timestamp+message) into CWLogs
• Log stream = sequence of log events from same source
• Log group = container for log streams
  • Stores same logs from different sources (e.g. different EC2 instances)
  • Stores configuration settings for streams (e.g. retention setting & permission)
  • Stores & defines metric filters → can trigger alarms
• 💡 Example: we have a group of EC2 instances. Each instance injects its /var/log/messages (stores Linux system diagnostics) into CWLogs.
  • One log group contains all /var/log/messages from all instances
  • Every log stream inside the log group belongs to one specific instance
  • Each log stream would contain the log events of its instance, in order
• CWLogs Architecture Diagram