Using Elastic Beanstalk with Amazon CloudWatch Logs
This topic explains the monitoring features that the Amazon CloudWatch Logs service can provide to Elastic Beanstalk. It also walks you through the configuration setup and lists the locations of the logs for each Elastic Beanstalk platform.
Implementing CloudWatch Logs can enable you to do the following monitoring activities:
-
Monitor and archive your Elastic Beanstalk application, system, and custom log files from the Amazon EC2 instances of your environments.
-
Configure alarms that make it easier for you to react to specific log stream events that your metric filters extract.
The CloudWatch Logs agent installed on each Amazon EC2 instance in your environment publishes metric data points to the CloudWatch service for each log group you configure. Each log group applies its own filter patterns to determine what log stream events to send to CloudWatch as data points. Log streams that belong to the same log group share the same retention, monitoring, and access control settings. You can configure Elastic Beanstalk to automatically stream logs to the CloudWatch service, as described in Streaming instance logs to CloudWatch Logs. For more information about CloudWatch Logs, including terminology and concepts, see the Amazon CloudWatch Logs User Guide.
In addition to instance logs, if you enable enhanced health for your environment, you can configure the environment to stream health information to CloudWatch Logs. See Streaming Elastic Beanstalk environment health information to Amazon CloudWatch Logs.
Topics
Prerequisites to instance log streaming to CloudWatch Logs
To enable streaming of logs from your environment's Amazon EC2 instances to CloudWatch Logs, you must meet the following conditions.
-
Platform – Because this feature is only available in platform versions released on or after this release
, if you are using an earlier platform version, update your environment to a current one. -
If you don't have the AWSElasticBeanstalkWebTier or AWSElasticBeanstalkWorkerTier Elastic Beanstalk managed policy in your Elastic Beanstalk instance profile, you must add the following to your profile to enable this feature.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream" ], "Resource": [ "*" ] } ] }
How Elastic Beanstalk sets up CloudWatch Logs
Elastic Beanstalk installs a CloudWatch log agent with the default configuration settings on each instance it creates. Learn more in the CloudWatch Logs Agent Reference.
When you enable instance log streaming to CloudWatch Logs, Elastic Beanstalk sends log files from your environment's instances to CloudWatch Logs. Different platforms stream different logs. The following table lists the logs, by platform.
Platform / Platform Branch |
Logs |
---|---|
Docker / Platform Branch: Docker Running on 64bit Amazon Linux 2 |
|
Docker / Platform Branch: ECS Running on 64bit Amazon Linux 2 |
|
Go .NET Core on Linux Java / Platform Branch: Corretto running on 64bit Amazon Linux 2 |
|
Node.js Python |
|
Tomcat PHP |
|
.NET on Windows Server |
|
Ruby |
|
Note
On July 18,2022, Elastic Beanstalk set the status of all platform branches based on Amazon Linux AMI (AL1) to retired. For more information about migrating to a current and fully supported Amazon Linux 2023 platform branch, see Migrating your Elastic Beanstalk Linux application to Amazon Linux 2023 or Amazon Linux 2.
The following table lists the log files streamed from instances on platform branches based on Amazon Linux AMI (preceding Amazon Linux 2), by platform.
Platform / Platform Branch |
Logs |
---|---|
Docker / Platform Branch: Docker Running on 64bit Amazon Linux |
|
Docker / Platform Branch: Multicontainer Docker Running on 64bit Amazon Linux |
|
Glassfish (Preconfigured Docker) |
|
Go |
|
Java / Platform Branch: Java 8 running on 64bit Amazon Linux Platform Branch: Java 7 running on 64bit Amazon Linux |
|
Tomcat |
|
Node.js |
|
PHP |
|
Python |
|
Ruby / Platform Branch: Puma with Ruby running on 64bit Amazon Linux |
|
Ruby / Platform Branch: Passenger with Ruby running on 64bit Amazon Linux |
|
Elastic Beanstalk configures log groups in CloudWatch Logs for the various log files that it streams. To retrieve specific log files from CloudWatch Logs, you have to know the name of the corresponding log group. The log group naming scheme depends on the platform's operating system.
For Linux platforms, prefix the on-instance log file location with /aws/elasticbeanstalk/
to
get the log group name. For example, to retrieve the file environment_name
/var/log/nginx/error.log
, specify the log group
/aws/elasticbeanstalk/
.environment_name
/var/log/nginx/error.log
For Windows platforms, see the following table for the log group corresponding to each log file.
On-instance log file |
Log group |
---|---|
|
|
|
|
|
|
Streaming instance logs to CloudWatch Logs
You can enable instance log streaming to CloudWatch Logs using the Elastic Beanstalk console, the EB CLI, or configuration options.
Before you enable it, set up IAM permissions to use with the CloudWatch Logs agent. You can attach the following custom policy to the instance profile that you assign to your environment.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": [ "*" ] } ] }
Instance log streaming using the Elastic Beanstalk console
To stream instance logs to CloudWatch Logs
Open the Elastic Beanstalk console
, and in the Regions list, select your AWS Region. -
In the navigation pane, choose Environments, and then choose the name of your environment from the list.
Note
If you have many environments, use the search bar to filter the environment list.
In the navigation pane, choose Configuration.
-
In the Updates, monitoring, and logging configuration category, choose Edit.
-
Under Instance log streaming to CloudWatch Logs:
-
Enable Log streaming.
-
Set Retention to the number of days to save the logs.
-
Select the Lifecycle setting that determines whether the logs are saved after the environment is terminated.
-
-
To save the changes choose Apply at the bottom of the page.
After you enable log streaming, you can return to the Software configuration category or page and find the Log Groups link. Click this link to see your logs in the CloudWatch console.
Instance log streaming using the EB CLI
To enable instance log streaming to CloudWatch Logs using the EB CLI, use the eb logs command.
$ eb logs --cloudwatch-logs enable
You can also use eb logs to retrieve logs from CloudWatch Logs. You can retrieve all the environment's instance logs, or use the command's
many options to specify subsets of logs to retrieve. For example, the following command retrieves the complete set of instance logs for your
environment, and saves them to a directory under .elasticbeanstalk/logs
.
$ eb logs --all
In particular, the --log-group
option enables you to retrieve instance logs of a specific log group, corresponding to a specific
on-instance log file. To do that, you need to know the name of the log group that corresponds to the log file you want to retrieve. You can find this
information in How Elastic Beanstalk sets up CloudWatch Logs.
Instance log streaming using configuration files
When you create or update an environment, you can use a configuration file to set up and configure instance log streaming to CloudWatch Logs. The following
example configuration file enables default instance log streaming. Elastic Beanstalk streams the default set of log files for your environment's platform. To use
the example, copy the text into a file with the .config
extension in the .ebextensions
directory at the top
level of your application source bundle.
option_settings: - namespace: aws:elasticbeanstalk:cloudwatch:logs option_name: StreamLogs value: true
Custom log file streaming
The Elastic Beanstalk integration with CloudWatch Logs doesn't directly support the streaming of custom log files that your application generates. To stream custom logs,
use a configuration file to directly install the CloudWatch agent and to configure the files to be pushed. For an example configuration file, see logs-streamtocloudwatch-linux.config
Note
The example doesn't work on the Windows platform.
For more information about configuring CloudWatch Logs, see the CloudWatch agent configuration file reference in the Amazon CloudWatch User Guide.
Troubleshooting CloudWatch Logs integration
If you can't find some of the environment's instance logs you expect in CloudWatch Logs, you can investigate the following common issues:
-
Your IAM role lacks the required IAM permissions.
-
You launched your environment in an AWS Region that doesn't support CloudWatch Logs.
-
One of your custom log files doesn't exist in the path you specified.