CloudWatch Logs
AWS CloudWatch Logs is a managed log aggregation service, and is our default solution for log storage and analysis in AWS. It is integrated with many AWS services, including ECS and Lambda, and often provides the easiest route to collecting logs and making them queryable. As a fully managed service, CloudWatch Logs also typically requires no maintenance once an appropriate retention period is set. It's important to be aware of the importance of setting this retention period as the default is to retain logs indefinitely, meaning log volume (and so monthly cost) increases over time and can become significant.
Writing logs
Logs are written to CloudWatch from many AWS services as part of their normal operation. When it comes to application logs, if these are deployed to ECS or as Lambda functions then logs to stdout are automatically collected into CloudWatch. In other cases (such as when running in Kubernetes or on VMs) it can be necessary to run a log collector such as logstash or fluentd to feed logs into CloudWatch. Many application logging libraries also support the option to ship logs directly to CloudWatch as an alternative.
Querying
CloudWatch extracts fields from JSON logs automatically. Where it is not possible to write logs in a JSON format, it is possible to configure custom parsing rules to extract fields for querying.
CloudWatch Logs Insights allows rich and responsive ad hoc querying of logs which rivals that available in other log aggregation solutions.
The open-source project awslogs is a simple command line tool for querying groups, streams and events from Amazon CloudWatch logs.
One of the most powerful features is to query events from several streams and consume them (ordered) in pseudo-realtime using your favourite tools such as grep.
Custom metrics and alerting
Applications that target CloudWatch can write log entries in CloudWatch Embedded Metric Format. When logs entries are written in this format, CloudWatch automatically creates any new metrics that are required, and populates values for existing metrics. Open source libraries for several programming languages are available.
Applications that can't be changed, or where the log format is fixed, can use Metric Filters to allow Custom Metrics to be populated from log events via configured filter expressions.
CloudWatch metrics are retained by CloudWatch Metrics and can be graphed, placed on dashboards, and used to trigger alarms and autoscaling events.
Pricing
While CloudWatch Logs is usually a cost-efficient solution, it is worth being aware of the pricing as it can become expensive if large volumes of logs are written or queried, or if many custom metrics are created.