// Querying and analyzing CloudWatch Logs, CloudTrail events, and other AWS log sources. Use when investigating errors, auditing actions, or understanding what happened with an AWS resource.
| name | aws-logging-diagnostics |
| description | Querying and analyzing CloudWatch Logs, CloudTrail events, and other AWS log sources. Use when investigating errors, auditing actions, or understanding what happened with an AWS resource. |
Security: Always ensure migrated resources meet or exceed the security configuration of the source resources. Refer to SECURITY.md for security requirements.
# List log groups matching a pattern
aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/<func>" --region <region> --query 'logGroups[*].{Name:logGroupName,Stored:storedBytes,Retention:retentionInDays}'
# List recent log streams
aws logs describe-log-streams --log-group-name <group> --order-by LastEventTime --descending --limit 5 --region <region> --query 'logStreams[*].{Name:logStreamName,LastEvent:lastEventTimestamp}'
# Search for errors in last hour
aws logs start-query --log-group-name <group> --start-time $(date -d '1 hour ago' +%s) --end-time $(date +%s) --query-string 'fields @timestamp, @message | filter @message like /ERROR|Exception|FATAL/ | sort @timestamp desc | limit 50' --region <region>
# Get query results
aws logs get-query-results --query-id <query-id> --region <region>
# Search for specific request/correlation ID
aws logs start-query --log-group-name <group> --start-time $(date -d '24 hours ago' +%s) --end-time $(date +%s) --query-string 'fields @timestamp, @message | filter @message like /<request-id>/ | sort @timestamp desc' --region <region>
# Aggregate error counts
aws logs start-query --log-group-name <group> --start-time $(date -d '24 hours ago' +%s) --end-time $(date +%s) --query-string 'fields @message | filter @message like /ERROR/ | stats count() by bin(1h)' --region <region>
aws logs tail <group> --follow --since 5m --region <region>
# With filter
aws logs tail <group> --follow --since 10m --filter-pattern "ERROR" --region <region>
aws logs get-log-events --log-group-name <group> --log-stream-name <stream> --start-time $(date -d '1 hour ago' +%s000) --region <region> --query 'events[*].{Time:timestamp,Msg:message}'
# Filter for JSON fields
aws logs filter-log-events --log-group-name <group> --filter-pattern '{$.statusCode = 500}' --start-time $(date -d '1 hour ago' +%s000) --region <region>
# Filter for text patterns
aws logs filter-log-events --log-group-name <group> --filter-pattern '"OutOfMemory"' --start-time $(date -d '6 hours ago' +%s000) --region <region>
Customers are responsible for enabling AWS CloudTrail, configuring trail settings, and monitoring audit logs. AWS is responsible for the CloudTrail service infrastructure and API event delivery.
# Who did what in the last hour
aws cloudtrail lookup-events --start-time $(date -d '1 hour ago' -Iseconds) --region <region> --query 'Events[*].{Time:EventTime,Name:EventName,User:Username,Source:EventSource}'
# Filter by event name
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=<event> --start-time $(date -d '24 hours ago' -Iseconds) --region <region>
# Filter by resource
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=<resource-name> --start-time $(date -d '7 days ago' -Iseconds) --region <region>
# Filter by user
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=<username> --start-time $(date -d '24 hours ago' -Iseconds) --region <region>
# If CloudTrail logs are in S3, query with Athena
aws athena start-query-execution --query-string "
SELECT eventtime, eventname, useridentity.arn, sourceipaddress, errorcode, errormessage
FROM cloudtrail_logs
WHERE eventname = '<event>'
AND eventtime > '<date>'
ORDER BY eventtime DESC
LIMIT 100
" --query-execution-context Database=<db> --result-configuration OutputLocation=s3://<bucket>/athena-results/ --region <region>
# Check if insights are enabled
aws cloudtrail get-insight-selectors --trail-name <trail> --region <region>
# Lookup insight events (unusual API activity)
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=<service>.amazonaws.com --start-time $(date -d '7 days ago' -Iseconds) --region <region>
# EC2 CPU utilization
aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --dimensions Name=InstanceId,Value=<id> --start-time $(date -d '1 hour ago' -Iseconds) --end-time $(date -Iseconds) --period 300 --statistics Average --region <region>
# RDS connections
aws cloudwatch get-metric-statistics --namespace AWS/RDS --metric-name DatabaseConnections --dimensions Name=DBInstanceIdentifier,Value=<id> --start-time $(date -d '1 hour ago' -Iseconds) --end-time $(date -Iseconds) --period 300 --statistics Maximum --region <region>
# Lambda errors
aws cloudwatch get-metric-statistics --namespace AWS/Lambda --metric-name Errors --dimensions Name=FunctionName,Value=<func> --start-time $(date -d '1 hour ago' -Iseconds) --end-time $(date -Iseconds) --period 300 --statistics Sum --region <region>
# ALB 5xx errors
aws cloudwatch get-metric-statistics --namespace AWS/ApplicationELB --metric-name HTTPCode_ELB_5XX_Count --dimensions Name=LoadBalancer,Value=<alb-id> --start-time $(date -d '1 hour ago' -Iseconds) --end-time $(date -Iseconds) --period 300 --statistics Sum --region <region>
# List alarms in ALARM state
aws cloudwatch describe-alarms --state-value ALARM --region <region> --query 'MetricAlarms[*].{Name:AlarmName,Metric:MetricName,State:StateValue,Reason:StateReason}'
# Check specific alarm
aws cloudwatch describe-alarms --alarm-names <alarm-name> --region <region>
# Alarm history
aws cloudwatch describe-alarm-history --alarm-name <alarm-name> --history-item-type StateUpdate --region <region>
When investigating an issue:
Customers are responsible for enabling access logging for Amazon S3 buckets, configuring database audit logging, encrypting Amazon CloudWatch Logs with AWS KMS, and managing log retention policies. AWS is responsible for the underlying logging service infrastructure and log delivery mechanisms.
Enable comprehensive access logging for data operations:
pgaudit for PostgreSQL, audit plugin for MySQL)aws logs associate-kms-key --log-group-name <group> --kms-key-id <key-arn>Expert guide for backing up AWS databases including Amazon Relational Database Service (Amazon RDS), Aurora, MS-SQL, MySQL, and PostgreSQL. Use when planning or executing database backup operations, retention policies, or restore procedures. Covers Amazon Simple Storage Service (Amazon S3) upload security.
Cross-region migration for compute services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Kubernetes Service (Amazon EKS). Covers AZ failure recovery, AMI/snapshot migration, coldsnap EBS Direct API transfers, AWS MGN agent-based migration, WSFC/SQL FCI cluster recovery, FSx ONTAP iSCSI, container image replication, task definition migration, Kubernetes workload backup/restore, and IRSA re-association.
Cross-region migration for database services including Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon Redshift, and Amazon ElastiCache. Covers snapshot copy and restore, cross-region read replica promotion, cross-region automated backups, Aurora Global Database failover, AWS KMS re-encryption, native database dump fallback, Amazon Redshift cross-region snapshot copy, and ElastiCache Global Datastore failover.
Cross-region migration for networking services including AWS Transit Gateway, AWS Site-to-Site VPN, AWS Client VPN, and AWS Direct Connect. Covers Transit Gateway recreation with VPC and Direct Connect gateway attachments, VPN tunnel configuration with pre-shared keys, Client VPN endpoint migration with certificate handling, and Direct Connect Gateway association.
Cross-region migration for security services including ACM, AWS KMS, AWS IAM Identity Center, IAM/STS federation, and AWS WAF. Covers certificate re-issuance and validation, KMS key re-encryption workflows, Encryption SDK re-keying, IAM Identity Center multi-region replication, SAML regional endpoint failover, STS endpoint configuration, and WAF WebACL cloning.
Debugging AWS network connectivity issues including Amazon Virtual Private Cloud (Amazon VPC), security groups, network ACLs (NACLs), route tables, VPC endpoints, DNS, load balancers, and AWS Transit Gateway. Use when troubleshooting connectivity failures or validating network paths.