An Introduction to CloudWatch Logs: What You Need to Know

Jay TilluJay Tillu
7 min read

Arjun just deployed a new feature to his app.
The team was hyped. The users were excited.
But something broke… again.

“Where do I even see what went wrong?” Arjun muttered.

That's when he met CloudWatch Logs — AWS’s built-in service for collecting and storing logs.

And everything changed.


💡 Why Use CloudWatch Logs?

Amazon CloudWatch Logs is AWS’s centralized log management service.
It’s where your apps, services, and resources can send their log data — securely, flexibly, and at scale.

Arjun learned this the hard way.
Now he uses CloudWatch Logs as his app’s black box recorder — capturing every crash, exception, and debug message in one place.

Before CloudWatch Logs, Arjun was:

  • SSH-ing into EC2 just to tail log files

  • Manually copying logs to debug

  • Missing errors from Lambda functions or API Gateway

Now?

  • All logs are in one place: CloudWatch Logs

  • Searchable, visual, organized

  • No more guesswork


📅 Retention: Keep What Matters

Arjun sets log retention policies like:

  • ✅ 7 days for debug logs

  • ✅ 30 days for API traffic

  • ✅ Forever for security logs

You can choose between 1 day to 10 years — or keep them indefinitely.
No more bloated log bills. No more lost critical logs.


🔐 Security: Your Logs, Your Keys

By default, AWS encrypts all CloudWatch Logs.
But Arjun takes it further — using KMS to encrypt sensitive logs with his own keys.
Perfect for compliance and audits.


📦 How Do Logs Get Into CloudWatch?

Let’s make this crystal clear.

There are 2 ways services send logs into CloudWatch Logs:

SourceDescription
EC2Using CloudWatch Unified Agent to push logs
LambdaAutomatically sends logs for every execution
ECSStreams container logs
Elastic BeanstalkApp logs routed via Beanstalk
API GatewayLogs each API request
VPC Flow LogsCaptures network traffic metadata
CloudTrailSends filtered logs
Route 53Logs DNS queries

Some services do it automatically:

AWS ServiceSends Logs to CloudWatch Automatically?
Lambda✅ Yes, by default
API Gateway✅ Yes (if logging is enabled)
VPC Flow Logs✅ Yes (once created)
CloudTrail✅ Yes (when set to deliver to CloudWatch)
Route 53✅ Yes (when query logging is enabled)

👉 These need minor configuration, but once done, logs just flow in.


⚙️ Some services need manual setup:

AWS ServiceHow to Send Logs
EC2Install CloudWatch Agent or Unified Agent
ECS / Docker ContainersSet up log drivers (e.g., awslogs)
Elastic BeanstalkConfigure logging in environment settings

💡 Tip: Use the CloudWatch Unified Agent. It supports both logs and metrics and is the newer option.


🧱 How Are Logs Organized Inside CloudWatch?

Let’s break this down simply.

🔹 Log Group = A folder for your logs

You create one per app, service, or environment.

Example:

  • /myapp/production

  • /payment-service/dev

🔸 Log Stream = A file inside that folder

Each stream holds logs from one instance, container, or Lambda execution.

Example:

  • A single EC2 instance's logs

  • One Lambda function’s output

  • A specific container’s logs

📌 Think of it like this:

Log Group = Folder
Log Stream = Log file inside that folder


🧠 Arjun’s Setup Looks Like This:

For his EC2 App:

  • Log Group: /ridego/production

  • Log Streams: One for each EC2 instance

For his Lambda Functions:

  • Log Group: /aws/lambda/processPayment

  • Log Streams: One for each invocation

For his API Gateway:

  • Log Group: /aws/api-gateway/ridegoAPI

  • Log Streams: One for each API request

And they automatically show up in CloudWatch once logging is enabled.


🔍 Querying Logs with CloudWatch Logs Insights

Arjun used to scroll endlessly through raw logs. Not anymore.

Now he uses CloudWatch Logs Insights — a built-in log query engine.

📊 What It Does:

  • Search logs by time range, keyword, IP, or error

  • Aggregate stats (like how many 500 errors occurred)

  • Visualize patterns and trends

  • Save and reuse queries in dashboards

Example query:

sqlCopyEditfields @timestamp, @message  
| filter @message like /ERROR/  
| sort @timestamp desc  
| limit 25

He even added it to his CloudWatch Dashboard, so his team sees real-time error counts.


🚚 Where Else Can Logs Go?

Arjun doesn’t just store logs — he moves them too:

🟡 Batch Export to S3

  • Triggered via CreateExportTask

  • Good for archival

  • Runs every 12 hours

  • ❌ Not real-time

🟢 Real-Time Streaming (Log Subscriptions)

Send logs as they arrive to:

  • Kinesis Data Streams (for analytics)

  • Kinesis Data Firehose (auto-load to S3, Redshift, OpenSearch)

  • AWS Lambda (custom processing)

  • Amazon OpenSearch Service (for log search/visualization)

💡 Use Subscription Filters to filter what logs to forward.


🌍 Cross-Account Logging Made Simple

Arjun didn’t want to check logs in every AWS account.
He wanted one place to see all logs — across accounts and regions.

Here’s how he did it (in plain English):

  1. In the main account, he created a destination (like a Kinesis Stream).

  2. Other AWS accounts got permission to send logs there.

  3. He connected each source account to the central log stream.

✅ Now all logs from different accounts flow into one central location.

📊 One dashboard. One stream. No more account hopping.


🧠 Pro Tips for SAA Learners

  • Know the difference between:

    • Log Groups vs Log Streams

    • Batch Export (S3) vs Real-Time Stream (Kinesis)

  • Learn CloudWatch Logs Insights syntax

  • Understand how Lambda, ECS, API Gateway send logs

  • Remember: use CloudWatch Unified Agent now

  • Explore cross-account log aggregation


🔍 How Arjun Debugs Now

Before:

Log in to server → find the right file → scroll like mad

Now:

Open CloudWatch Logs → Search by keyword or time → Done

He even uses Log Insights to:

  • Find all errors from the past hour

  • Track how many times a specific error happened

  • Visualize log data trends


🎯 Final Recap

ConceptMeaning
CloudWatch LogsCentral place for your AWS logs
Log GroupFolder that stores logs for a service or app
Log StreamIndividual log files inside a log group
Automatic loggingLambda, API Gateway, etc. do this
Manual setupEC2, ECS need agents or config
CloudWatch Logs InsightsTool to search and analyze logs

🧘 Arjun Now Sleeps Better

Thanks to CloudWatch Logs:

  • He sees crashes as they happen

  • He knows why things break

  • He acts before users complain

CloudWatch Logs didn’t just store data.
It brought clarity to chaos.


More AWS SAA Articles

Follow me for more such content

0
Subscribe to my newsletter

Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jay Tillu
Jay Tillu

Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!