View a markdown version of this page

Alarming on logs - Amazon CloudWatch
Create a Log Alarm

Alarming on logs

You can create CloudWatch alarms that monitor your log data in two ways:

  • Log Alarm approach — Create a Log Alarm that runs a CloudWatch Logs Insights query on a schedule and evaluates the aggregated results directly against a threshold.

  • Metric filter approach — Create a metric filter on a log group, then create a standard metric alarm on the resulting metric.

Create a Log Alarm

Create a Log Alarm

You can create a CloudWatch alarm that uses a CloudWatch Logs Insights query to monitor log data directly. The query runs on a schedule using a Scheduled Query, and the alarm evaluates the aggregated results against a threshold. For more information about how Log Alarms work, see Log alarms.

Prerequisites

Before you create a Log Alarm, you must create an IAM role that grants CloudWatch Logs permission to execute the scheduled query. If you also want log lines included in Amazon SNS notifications, you must create a second role.

Note

If you create a Log Alarm from the CloudWatch console, the console helps you create these roles.

Scheduled query execution role

The scheduled query execution role allows CloudWatch Logs to run the query on your behalf. This role is required for all Log Alarms to execute the scheduled query. The role must trust the logs.amazonaws.com service principal.

The following example shows the trust policy for the scheduled query execution role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The following example shows the permissions policy. Scope the Resource to the log group ARNs that the query targets.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:GetQueryResults",
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:region:account-id:log-group:your-log-group:*"
        }
    ]
}

Log lines role (optional)

The log lines role allows CloudWatch to fetch log lines for Amazon SNS email notifications. This role is required only if you set ActionLogLineCount to a value greater than 0. The role must trust the cloudwatch.amazonaws.com service principal.

The following example shows the trust policy for the log lines role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudwatch.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The following example shows the permissions policy for the log lines role. The logs:GetQueryResults permission is required to fetch log lines. Scope the Resource to the log group ARNs that the query targets.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:GetQueryResults"
            ],
            "Resource": "arn:aws:logs:region:account-id:log-group:your-log-group:*"
        }
    ]
}
Note

To view Log Alarm query results in the CloudWatch console, the IAM user or role accessing the console must have the logs:GetScheduledQueryData permission. This is a console-only API and is not available through the AWS CLI or SDK. CloudTrail logs this API as a data event, so you must configure a trail with data event logging to capture it.

Creating a Log Alarm using the console

The steps in this section explain how to use the CloudWatch console to create a Log Alarm. You can also use the AWS CLI to create a Log Alarm. For more information, see Creating a Log Alarm using the AWS CLI.

To create a Log Alarm

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Alarms, and then choose All alarms.

  3. Choose Create alarm.

  4. For Data source, choose Logs.

  5. Under Logs Query:

    1. For Log groups, choose one or more log groups to query.

    2. In the query editor, enter your Logs Insights query. Choose Preview results to verify correct lines are getting considered.

    3. For Aggregation expression, specify how to aggregate the query results to return a numerical value for alarm evaluation (for example, count(*) or avg(latency) by endpoint).

    4. For Schedule, choose how often the query runs (for example, every 5 minutes).

  6. Under Alarm Conditions:

    1. For Whenever the aggregated result is..., choose a comparison operator.

    2. For than..., enter the threshold value.

    3. (Optional) Under Additional Configuration:

      1. Modify Datapoints to alarm to specify the number of breaching results required to trigger ALARM out of last N queries.

      2. Modify Missing data treatment to specify how to treat missing data.

  7. Under Schedule:

    1. For Evaluation Frequency, choose how often the query runs (for example, every 5 minutes).

    2. For Start time offset, the lookback window for each query execution.

    3. For End time offset (optional), the end of the query time range as an offset in seconds from the current time.

  8. Under IAM permission:

    1. Specify the role that is required to execute the scheduled query. You can either choose to create a new role or use an existing role.

  9. Choose Next.

  10. Under Configure actions, configure actions and notifications as needed.

    1. To include log lines triggering the alarm transition in Amazon SNS email notifications, under Include query results in the actions:

      1. Add Number of query results to specify the number of log lines to include.

      2. Create or choose an existing role that is used to get the required query results.

  11. Choose Next.

  12. Enter a Name and optional Description (supports Markdown).

  13. (Optional) Add tags.

  14. Choose Next.

  15. Under Preview and create, review your configuration, and then choose Create alarm.

Creating a Log Alarm using the AWS CLI

You can use the AWS CLI put-log-alarm command to create a Log Alarm.

The following example creates a Log Alarm that monitors error counts in a log group and transitions to ALARM state when the count exceeds 100 in 3 out of 5 query executions.

aws cloudwatch put-log-alarm \
    --alarm-name "HighErrorCount" \
    --alarm-description "Alarm when error count exceeds 100" \
    --comparison-operator GreaterThanThreshold \
    --threshold 100 \
    --query-results-to-evaluate 5 \
    --query-results-to-alarm 3 \
    --treat-missing-data missing \
    --alarm-actions "arn:aws:sns:region:account-id:topic-name" \
    --scheduled-query-configuration '{
        "QueryString": "fields @timestamp, @message | filter @message like /ERROR/",
        "LogGroupIdentifiers": ["/aws/lambda/my-function"],
        "ScheduledQueryRoleARN": "arn:aws:iam::account-id:role/ScheduledQueryRole",
        "AggregationExpression": "count(*)",
        "ScheduleConfiguration": {
            "ScheduleExpression": "rate(10 minutes)",
            "StartTimeOffset": 600
        }
    }' \
    --action-log-line-count 5 \
    --action-log-line-role-arn "arn:aws:iam::account-id:role/LogLineRole"

The following table describes the key parameters for the put-log-alarm command.

put-log-alarm parameters
Parameter Required Description
--alarm-name Yes The name of the alarm. Must contain only UTF-8 characters.
--comparison-operator Yes The comparison operator for threshold evaluation. Valid values: GreaterThanThreshold, GreaterThanOrEqualToThreshold, LessThanThreshold, LessThanOrEqualToThreshold.
--threshold Yes The numeric threshold value to compare against.
--query-results-to-evaluate Yes The number of recent query executions to evaluate (N in M-out-of-N).
--query-results-to-alarm Yes The number of breaching results required to trigger ALARM (M in M-out-of-N).
--treat-missing-data No How to treat missing data. Valid values: missing (default), notBreaching, breaching, ignore.
--scheduled-query-configuration Yes The query configuration including query string, log group identifiers, scheduled query role ARN, aggregation expression, and schedule configuration.
--action-log-line-count No The number of log lines to include in Amazon SNS email notifications (0–50). Default is 0.
--action-log-line-role-arn No The ARN of the IAM role that trusts cloudwatch.amazonaws.com. Required if action-log-line-count is greater than 0.

Creating a Log Alarm using AWS CloudFormation

You can use the AWS::CloudWatch::LogAlarm resource type to create a Log Alarm in a AWS CloudFormation template.

The following example template creates a Log Alarm that monitors error counts.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  HighErrorCountAlarm:
    Type: AWS::CloudWatch::LogAlarm
    Properties:
      AlarmName: HighErrorCount
      AlarmDescription: Alarm when error count exceeds 100
      ComparisonOperator: GreaterThanThreshold
      Threshold: 100
      QueryResultsToEvaluate: 5
      QueryResultsToAlarm: 3
      TreatMissingData: missing
      ActionLogLineCount: 5
      ActionLogLineRoleArn: !GetAtt LogLineRole.Arn
      ScheduledQueryConfiguration:
        QueryString: "fields @timestamp, @message | filter @message like /ERROR/"
        LogGroupIdentifiers:
          - /aws/lambda/my-function
        ScheduledQueryRoleARN: !GetAtt ScheduledQueryRole.Arn
        AggregationExpression: "count(*)"
        ScheduleConfiguration:
          ScheduleExpression: "rate(10 minutes)"
          StartTimeOffset: 600
      AlarmActions:
        - !Ref AlarmSNSTopic

Create a CloudWatch alarm based on a log group-metric filter

The procedure in this section describes how to create an alarm based on a log group-metric filter. With metric filters, you can look for terms and patterns in log data as the data is sent to CloudWatch. For more information, see Create metrics from log events using filters in the Amazon CloudWatch Logs User Guide. Before you create an alarm based on a log group-metric filter, you must complete the following actions:

To create an alarm based on a log group-metric filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. From the navigation pane, choose Logs, and then choose Log groups.

  3. Choose the log group that includes your metric filter.

  4. Choose Metric filters.

  5. In the metric filters tab, select the box for the metric filter that you want to base your alarm on.

  6. Choose Create alarm.

  7. (Optional) Under Metric, edit Metric name, Statistic, and Period.

  8. Under Conditions, specify the following:

    1. For Threshold type, choose Static or Anomaly detection.

    2. For Whenever your-metric-name is . . ., choose Greater, Greater/Equal, Lower/Equal , or Lower.

    3. For than . . ., specify a number for your threshold value.

  9. Choose Additional configuration.

    1. For Data points to alarm, specify how many data points trigger your alarm to go into the ALARM state. If you specify matching values, your alarm goes into the ALARM state if that many consecutive periods are breaching. To create an M-out-of-N alarm, specify a number for the first value that's lower than the number you specify for the second value. For more information, see Alarm evaluation.

    2. For Missing data treatment, select an option to specify how to treat missing data when your alarm is evaluated.

  10. Choose Next.

  11. For Notification, specify an Amazon SNS topic to notify when your alarm is in the ALARM, OK, or INSUFFICIENT_DATA state.

    1. (Optional) To send multiple notifications for the same alarm state or for different alarm states, choose Add notification.

    2. (Optional) To not send notifications, choose Remove.

  12. To have the alarm perform Auto Scaling, EC2, Lambda, or Systems Manager actions, choose the appropriate button and choose the alarm state and action to perform. If you choose a Lambda function as an alarm action, you specify the function name or ARN, and you can optionally choose a specific version of the function.

    Alarms can perform Systems Manager actions only when they go into ALARM state. For more information about Systems Manager actions, see see Configuring CloudWatch to create OpsItems from alarms and Incident creation.

    Note

    To create an alarm that performs an SSM Incident Manager action, you must have certain permissions. For more information, see Identity-based policy examples for AWS Systems Manager Incident Manager.

  13. Choose Next.

  14. For Name and description, enter a name and description for your alarm. The name must contain only UTF-8 characters, and can't contain ASCII control characters. The description can include markdown formatting, which is displayed only in the alarm Details tab in the CloudWatch console. The markdown can be useful to add links to runbooks or other internal resources.

  15. For Preview and create, check that your configuration is correct, and choose Create alarm.