AWS Cloudwatch Logs Sink
The Vector aws_cloudwatch_logs sink batches log events to Amazon Web Service's CloudWatch Logs service via the PutLogEvents API endpoint.
Configuration
- Common
- Advanced
[sinks.my_sink_id] # REQUIRED - General type = "aws_cloudwatch_logs" # must be: "aws_cloudwatch_logs" inputs = ["my-source-id"] # example group_name = "{{ file }}" # example region = "us-east-1" # example, relevant when host = "" stream_name = "{{ instance_id }}" # example
# REQUIRED - requests encoding = "json" # example, enum
# OPTIONAL - General create_missing_group = true # default create_missing_stream = true # default healthcheck = true # defaultOptions
assume_role
The ARN of an IAM role to assume at startup. See AWS Authentication for more info.
batch
Configures the sink batching behavior.
max_size
The maximum size of a batch, in bytes, before it is flushed. See Buffers & Batches for more info.
1049000 (bytes)timeout_secs
The maximum age of a batch before it is flushed. See Buffers & Batches for more info.
1 (seconds)buffer
Configures the sink specific buffer behavior.
max_size
The maximum size of the buffer on the disk. See Buffers & Batches for more info.
type
The buffer's type and storage mechanism.
"memory""memory" "disk" when_full
The behavior when the buffer becomes full.
"block""block" "drop_newest" create_missing_group
Dynamically create a log group if it does not already exist. This will ignore create_missing_stream directly after creating the group and will create the first stream.
truecreate_missing_stream
Dynamically create a log stream if it does not already exist.
trueencoding
The encoding format used to serialize the events before outputting.
"json" "text" endpoint
Custom endpoint for use with AWS-compatible services. Providing a value for this option will make region moot.
group_name
The group name of the target CloudWatch Logs stream. See Partitioning and Template Syntax for more info.
healthcheck
Enables/disables the sink healthcheck upon start. See Health Checks for more info.
trueregion
The AWS region of the target service. If endpoint is provided it will override this value since the endpoint includes the region.
request
Configures the sink request behavior.
in_flight_limit
The maximum number of in-flight requests allowed at any given time. See Rate Limits for more info.
5 (requests)rate_limit_duration_secs
The time window, in seconds, used for the rate_limit_num option. See Rate Limits for more info.
1 (seconds)rate_limit_num
The maximum number of requests allowed within the rate_limit_duration_secs time window. See Rate Limits for more info.
5retry_attempts
The maximum number of retries to make for failed requests. See Retry Policy for more info.
-1retry_initial_backoff_secs
The amount of time to wait before attempting the first retry for a failed request. Once, the first retry has failed the fibonacci sequence will be used to select future backoffs.
1 (seconds)retry_max_duration_secs
The maximum amount of time, in seconds, to wait between retries.
10 (seconds)timeout_secs
The maximum time a request can take before being aborted. It is highly recommended that you do not lower value below the service's internal timeout, as this could create orphaned requests, pile on retries, and result in duplicate data downstream. See Buffers & Batches for more info.
30 (seconds)stream_name
The stream name of the target CloudWatch Logs stream. See Partitioning and Template Syntax for more info.
Env Vars
AWS_ACCESS_KEY_ID
Used for AWS authentication when communicating with AWS services. See relevant AWS components for more info. See AWS Authentication for more info.
AWS_SECRET_ACCESS_KEY
Used for AWS authentication when communicating with AWS services. See relevant AWS components for more info. See AWS Authentication for more info.
Output
The aws_cloudwatch_logs sink batches log events to Amazon Web Service's CloudWatch Logs service via the PutLogEvents API endpoint.
Batches are flushed via the batch_size or
batch_timeout options. You can learn more in the buffers &
batches section.
For example:
POST / HTTP/1.1Host: logs.<region>.<domain>X-Amz-Date: <date>Accept: application/jsonContent-Type: application/x-amz-json-1.1Content-Length: <byte_size>Connection: Keep-AliveX-Amz-Target: Logs_20140328.PutLogEvents
{ "logGroupName": "<group_name>", "logStreamName": "<stream_name>", "logEvents": [ { "timestamp": <log_timestamp>, "message": "<json_encoded_log>" }, { "timestamp": <log_timestamp>, "message": "<json_encoded_log>" }, { "timestamp": <log_timestamp>, "message": "<json_encoded_log>" } ]}How It Works
AWS Authentication
Vector checks for AWS credentials in the following order:
- Environment variables
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. - The
credential_processcommand in the AWS config file. (usually located at~/.aws/config) - The AWS credentials file. (usually located at
~/.aws/credentials) - The IAM instance profile. (will only work if running on an EC2 instance with an instance profile/role)
If credentials are not found the healtcheck will fail and an error will be logged.
Obtaining an access key
In general, we recommend using instance profiles/roles whenever possible. In cases where this is not possible you can generate an AWS access key for any user within your AWS account. AWS provides a detailed guide on how to do this.
Assuming Roles
Vector can assume an AWS IAM role via the assume_role option. This is an
optional setting that is helpful for a variety of use cases, such as cross
account access.
Buffers & Batches
The aws_cloudwatch_logs sink buffers & batches data as
shown in the diagram above. You'll notice that Vector treats these concepts
differently, instead of treating them as global concepts, Vector treats them
as sink specific concepts. This isolates sinks, ensuring services disruptions
are contained and delivery guarantees are honored.
Batches are flushed when 1 of 2 conditions are met:
- The batch age meets or exceeds the configured
timeout_secs. - The batch size meets or exceeds the configured
max_size.
Buffers are controlled via the buffer.* options.
Environment Variables
Environment variables are supported through all of Vector's configuration.
Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable
will be replaced before being evaluated.
You can learn more in the Environment Variables section.
Health Checks
Health checks ensure that the downstream service is accessible and ready to accept data. This check is performed upon sink initialization. If the health check fails an error will be logged and Vector will proceed to start.
Require Health Checks
If you'd like to exit immediately upon a health check failure, you can
pass the --require-healthy flag:
vector --config /etc/vector/vector.toml --require-healthyDisable Health Checks
If you'd like to disable health checks for this sink you can set the
healthcheck option to false.
Partitioning
Partitioning is controlled via the group_name and stream_name
options and allows you to dynamically partition data on the fly.
You'll notice that Vector's template sytax is
supported for these options, enabling you to use field values as partition keys.
Rate Limits
Vector offers a few levers to control the rate and volume of requests to the
downstream service. Start with the rate_limit_duration_secs and
rate_limit_num options to ensure Vector does not exceed the specified
number of requests in the specified window. You can further control the pace at
which this window is saturated with the in_flight_limit option, which
will guarantee no more than the specified number of requests are in-flight at
any given time.
Please note, Vector's defaults are carefully chosen and it should be rare that you need to adjust these. If you found a good reason to do so please share it with the Vector team by opening an issie.
Retry Policy
Vector will retry failed requests (status == 429, >= 500, and != 501).
Other responses will not be retried. You can control the number of retry
attempts and backoff rate with the retry_attempts and
retry_backoff_secs options.
Template Syntax
The group_name and stream_name options
support Vector's template syntax, enabling dynamic
values derived from the event's data. This syntax accepts
strptime specifiers as well as the
{{ field_name }} syntax for accessing event fields. For example:
[sinks.my_aws_cloudwatch_logs_sink_id] # ... group_name = "{{ file }}" group_name = "ec2/{{ instance_id }}" group_name = "group-name" # ...You can learn more about the complete syntax in the templating reference.