Understanding CloudWatch Logs – SCS-C02 Study Guide

Understanding CloudWatch Logs

CloudWatch Logs allows you to ingest logs from your AWS services. The CloudWatch Logs service helps you move logs off your host and onto durable storage. The S3 service backs this durable storage. Once they have moved there, they are retained until you change the retention period.

With logs stored in CloudWatch Logs, you can perform basic text searches across the data stored. You can also create custom metrics and alarms from the data parsed from the logs. CloudWatch Logs can be an essential tool in your security and compliance frameworks, as they allow you to create an audit trail, serve as evidence for forensic analysis, and provide critical information in case of an incident. From the rules, you can impose the usage, access to, and auditability of the logs.

Having gained a basic understanding of the CloudWatch Logs service, you will now learn about some of the key terms.

CloudWatch Logs Terminology

You should be familiar with some key terms that may appear when working with the CloudWatch service and on the Certified Security Specialty exam:

  • Filter pattern: The filtering expressions restrict which logs get forwarded in the AWS destination resource.
  • Log events: A record of some activity recorded in CloudWatch Logs is a log event. Event messages must be in the UTF-8 format.
  • Log streams: A log stream in CloudWatch is a sequence of log events that share the same source. It’s essentially a log file continuously being written to, with each log event representing a line in the log file.
  • Log groups: A group of log streams that share the same source are grouped in the CloudWatch Logs console as log groups. There is no limit on how many log streams can be a part of one log group.
  • Retention settings: These settings determine how long you keep your logs in CloudWatch Logs. By default, logs are kept indefinitely and never expire, and this can lead to extra costs. If you do not need your logs after a specific period of time, you can choose a retention period between 1 day and 10 years for each log group. Once the retention period is met, the logs are automatically deleted.

Figure 8.2: How logs move from AWS resources to CloudWatch Logs

Figure 8.2 shows how the different AWS resources generate the log files that turn into log streams. Those log streams then turn into log groups. The log groups can be part of a subscription that is consumed by other services to be stored in other long-term storage or used for analysis. CloudWatch Logs also has the ability to retain logs for the time period that you specify.

The next section will show you how to save log files indefinitely or for a specific period of time.