AWS CloudWatch Logs is the preferred service for aggregating and accessing recent logs. It integrates with other AWS services, providing a unified Web-based view of log types across multiple sources, eliminating the new to connect to individual servers and find specific files.
Accessing Logs (Web)
Logs are available in the AWS Console under the CloudWatch service, then navigating to Logs / Log Groups. See View Log Data Sent to CloudWatch Logs.
EC2 Instance Logs
Several logs that capture interesting operational and security events are collected by the AWS CloudWatch agent and stored in CloudWatch log groups named after the log file:
- /var/log/aide: stores AIDE file integrity monitoring logs
- /var/log/auth: stores server authentication logs
- /var/log/clamav: stores the output of ClamAV scans
- /var/log/dokku: stores Dokku-related audit events such as deployments
- /var/log/syslog: stores server syslogs (system events)
Individual log streams are named after each machine's private DNS address, which can be found in the EC2 console's "Details" tab. These logs are retained for 1 month; older logs can be found in an S3 bucket named archived-logs-region-name.
Web Server Logs
Nginx logs from multiple instances are stored in the /var/log/nginx log group. These logs are also retained for a month and older logs archived in S3.
Docker container logs can be found in the containers log group. Log streams are named using each containers' unique ID. These can be identified by running docker ps on your EC2 instances. Container logs are stored for a year and are not archived in S3.
Amazon RDS publishes its logs to a group name starting with /aws/rds/instance. You can also access the same logs in the RDS console under each instance.
Other Log Types
cloudtrail-all-regions is a special log group, consolidating multi-region AWS CloudTrail (see below) audit logs into one stream. This stream is integrated with dynamic filters and CloudWatch alarms for compliance monitoring purposes. See this page for additional details.
patching contains logs of daily EC2 instance patching jobs managed by AWS SSM Patch Manager.
The /vpc/vpc-* log groups contain VPC flow logs.
The ssm_sessions log group stores copies of recorded sessions from Systems Manager Session Manager, which provides an alternative to using SSH to connect to EC2 instances.
If you'd like to see other logs in the CloudWatch Logs interface, please create a support ticket.
The awslogs Utility
If you prefer to access CloudWatch Logs from the command line, the awslogs command line tool is available in every EC2 instance, providing the ability to browse and watch multiple logs streams in parallel.
Listing All Log Groups
This command returns a list of all the CloudWatch Log groups in the current region.
List Log Streams Inside a Log Group
awslogs streams /var/log/auth
Get Specific Log Entries
Retrieve recent consolidated entries from a log group:
awslogs get /var/log/auth --start='1h ago'
Limit entries to a specific log stream:
awslogs get /var/log/auth ip-10-0-1-96.us-east-2.compute.internal --start='1h ago'
A wildcard entry can be used as well:
awslogs get /var/log/auth ip-10-0* --start='1h ago'
Watching Logs Across Multiple Instances in a Log Group
awslogs get /var/log/auth ALL --watch
Specifying a Region
The first time you use awslogs you'll need to configure your default region:
Alternately, you can pass the region as an inline variable:
AWS_REGION=us-west-2 awslogs groups
Additional commands, including filtering examples, are shown on the awslogs page.
S3 Bucket Access logs
S3 buckets are configured to record access to region-specific buckets named access-logs-region-name. This feature helps with access auditing needs.
Automated Audit Trails
AWS CloudTrail records changes to all AWS resources and their configurations. Besides the CloudWatch Log Group mentioned above, which is used for monitoring specific data events, long term storage of CloudTrail data is persisted to an encrypted S3 bucket named cloudtrail-all-regions-*.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It works in tandem with CloudTrail, SecurityHub, and other supporting services.
PHI Auditing Requirements
AWS does not provide automated capabilities to audit access to protected health information as required by HIPAA. The auditing and logging mechanisms described above capture information about potential access to PHI through the AWS console and APIs. However, it is a customer responsibility to implement functionality within their applications to record the viewing, modification, and destruction of PHI. This can be as simple as a implementing an "audit_trail" database table that records the details of the interaction. If a record containing PHI is deleted, the audit trail should preserve the original record.