# AWS services for logging and monitoring
This guide focuses on logging and monitoring applications deployed in the AWS Cloud. You can use AWS services to implement your logging and monitoring plan, or you can use them to augment your current solutions. For example, if you are troubleshooting an issue with your application, you might:
+ Triage the application logs with the VPC Flow Logs feature in Amazon Virtual Private Cloud (Amazon VPC) and view the network traffic that corresponds to the issue.
+ Use AWS CloudTrail to view the API calls that correspond to the issue event times.
+ Review the logs in Amazon CloudWatch Logs to check for CPU spikes that correspond to the issue event times.
You can deploy the following AWS services and features for logging and monitoring your application:
+ [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) helps you audit the governance, compliance, and operational risk of your AWS account by recording the actions taken by a user, role, or an AWS service. For more information about using this service to log or monitor events for your application, see [CloudTrail](cloudtrail.md) in this guide.
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you analyze logs and, in real time, monitor the metrics of your AWS resources and hosted applications. You can also use the ServiceLens feature to monitor the health of your application or use the Synthetics feature to create canaries that monitor your endpoints and APIs. For more information about using this service to monitor your application, see [CloudWatch](cloudwatch.md) in this guide.
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely. For more information about using this service to log events for your application, see [CloudWatch Logs](cloudwatch-logs.md) in this guide.
+ The [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) feature of Amazon Virtual Private Cloud (Amazon VPC) captures information about the IP traffic going to and from network interfaces in your VPC. For more information about using this service to log events for your application, see [VPC Flow Logs](vpc-flow-logs.md) in this guide.
+ [AWS X-Ray](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html) collects data about requests that your application serves, and it helps you view, filter, and gain insights into that data to identify issues and opportunities for optimization. For more information about using this service to monitor your application, see [X-Ray](x-ray.md) in this guide.
# Application logging and monitoring using AWS CloudTrail
[AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as *events* in CloudTrail. Events can include actions taken in the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs.
## Using CloudTrail
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to **Event history**.
For an ongoing record of activity and events in your AWS account, you create a *trail*. You can create trails for a single AWS Region or for all Regions. Trails record the log files in each Region, and CloudTrail can deliver the log files to a single, consolidated Amazon Simple Storage Service (Amazon S3) bucket.
You can configure multiple trails differently so that the trails process and log only the events that you specify. This can be useful when you want to triage events that occur in your AWS account with events that occur in your application.
**Note**
CloudTrail has a validation feature that you can use to determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them. For more information about this feature and how to enable it, see [Validating CloudTrail log file integrity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html) (CloudTrail documentation).
## Use cases for CloudTrail
+ **Compliance aid** – Using CloudTrail can help you comply with internal policies and regulatory standards by providing a history of events in your AWS account.
+ **Security analysis** – You can perform security analysis and detect user behavior patterns by ingesting CloudTrail log files into a log management and analytics solutions, such as CloudWatch Logs, Amazon EventBridge, Amazon Athena, Amazon OpenSearch Service, or another third-party solution.
+ **Data exfiltration** – You can detect data exfiltration by collecting activity data on Amazon S3 objects through object-level API events recorded in CloudTrail. After the activity data is collected, you can use other AWS services, such as EventBridge and AWS Lambda, to trigger an automatic response.
+ **Operational issue troubleshooting **– You can troubleshoot operational issues by using the CloudTrail log files. For example, you can quickly identify the most recent changes made to the resources in your environment, including creation, modification, and deletion of AWS resources.
## Best practices for CloudTrail
+ Enable CloudTrail in all AWS Regions.
+ Enable log file integrity validation.
+ Encrypt logs.
+ Ingest CloudTrail log files into CloudWatch Logs.
+ Centralize logs from all AWS accounts and Regions.
+ Apply lifecycle policies to S3 buckets containing log files.
+ Prevent users from being able to turn off logging in CloudTrail. Apply the following [service control policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) (SCP) in AWS Organizations. This SCP sets an explicit deny rule for the `StopLogging` and `DeleteTrail` actions across the organization.
```
{
"Version": "2012-10-17",
"Statement":
[
{ "Action":
[
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*",
"Effect": "Deny"
}
]
}
```
# Application logging and monitoring using Amazon CloudWatch
[Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track *metrics*, which are variables you can measure for your resources and applications.
## Using CloudWatch
CloudWatch is, essentially, a metrics repository. An AWS service, such as Amazon EC2, puts metrics into the repository, and you retrieve statistics based on those metrics. If you put your own custom metrics into the repository, you can also retrieve statistics on these metrics. For more information, see [Using CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html) (CloudWatch documentation).
You can also configure *alarms*, which automatically initiate actions on your behalf. An alarm watches a single metric over a specified time period and performs one or more specified actions, based on the value of the metric relative to a threshold over time. For example, the alarm might send a notification to an Amazon Simple Notification Service (Amazon SNS) topic. You can also add alarms to dashboards. For more information, see [Using CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) (CloudWatch documentation).
The CloudWatch console automatically displays metrics about every AWS service you use. You can create additional, custom dashboards to display metrics and alarms for your applications. For more information, see [Using CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html) (CloudWatch documentation).
CloudWatch automatically supports cross-Region functionality. You do not need to take any extra steps to display metrics from different AWS Regions in a single account on the same graph or dashboard. You can achieve cross-account functionality by implementing [cross-account observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html) (CloudWatch documentation).
For more information and detailed guidance about using CloudWatch to log and monitor workloads in the AWS Cloud, see [Designing and implementing logging and monitoring with Amazon CloudWatch](https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/welcome.html) (AWS Prescriptive Guidance).
## Use cases for CloudWatch
+ **Application health monitoring** – CloudWatch ServiceLens enhances the observability of your services and applications by enabling you to integrate traces, metrics, logs, alarms, and other resource health information into one place. ServiceLens integrates CloudWatch with AWS X-Ray to provide an end-to-end view of your application to help you more efficiently pinpoint performance bottlenecks and identify impacted users. For more information, see [Using ServiceLens to monitor the health of your applications](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ServiceLens.html) (CloudWatch documentation).
+ **Synthetic monitoring** – You can use CloudWatch Synthetics to create canaries, configurable scripts that run on a schedule, to monitor your endpoints and APIs. Canaries follow the same routes and perform the same actions as a customer, which makes it possible for you to continually verify your customer experience even when you don't have any customer traffic on your applications. Canaries check the availability and latency of your endpoints and can store load time data and screenshots of the UI. They monitor your REST APIs, URLs, and website content, and they can check for unauthorized changes from phishing, code injection, and cross-site scripting. For more information, see [Using synthetic monitoring](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html) (CloudWatch documentation).
+ **User monitoring** – With CloudWatch RUM, you can perform real user monitoring to collect and view client-side data about your web application performance. The data includes page load times, client-side errors, and user behavior. You can use the collected data to quickly identify and debug client-side performance issues. For more information, see [Using CloudWatch RUM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM.html) (CloudWatch documentation).
+ **Anomalous behavior detection** – When you enable *anomaly detection* for a metric, CloudWatch applies statistical and machine learning algorithms. These algorithms continuously analyze metrics of systems and applications, determine normal baselines, and surface anomalies. For more information, see [Using CloudWatch anomaly detection](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Anomaly_Detection.html) (CloudWatch documentation).
+ **Feature validation and A/B experiments** – You can use Amazon CloudWatch Evidently to safely validate new features by serving them to a specified percentage of your users while you roll out the feature. You can also conduct A/B experiments to make feature design decisions based on evidence and data. For more information, see [Perform launches and A/B experiments with CloudWatch Evidently](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently.html) (CloudWatch documentation).
# Application logging and monitoring using Amazon CloudWatch Logs
[Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis. You can see all of your log events, regardless of their source, as a single and consistent flow of events ordered by time. You can query them and sort them, group them by specific fields, create custom computations, and visualize log data in dashboards.
## Using CloudWatch Logs
In CloudWatch Logs, log events are organized into log streams and log groups. A *log stream* is a sequence of log events that share the same source. More specifically, a log stream is generally intended to represent the sequence of events coming from the application instance or resource being monitored. *Log groups* define one or more log streams that share the same retention, monitoring, and access control settings. Each log stream must belong to at least one log group. For more information, see [Working with log groups and log streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) (CloudWatch Logs documentation).
You can use CloudWatch Logs Insights to search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes. For more information, see [Analyzing log data with CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) (CloudWatch Logs documentation).
You can search and filter the log data coming into CloudWatch Logs by creating one or more *metric filters*. Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs. CloudWatch Logs uses these metric filters to turn log data into numerical CloudWatch metrics that you can graph or set an alarm on. For more information, see [Creating metrics from log events using filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/MonitoringLogData.html) (CloudWatch Logs documentation).
## Use cases for CloudWatch Logs
+ **Monitoring CloudTrail logs** – You can create alarms in CloudWatch and receive notifications of particular API activity, as captured by CloudTrail, and use the notification to perform troubleshooting. For more information, see [Sending CloudTrail Events to CloudWatch Logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cw_send_ct_events.html) (CloudTrail documentation).
+ **Logging AWS API calls** – If you have a third-party monitoring solution in place, you can use CloudWatch Logs to log AWS API calls. You set up the third-party monitoring service to evaluate this log and the application-level APIs.
+ **Configuring log retention** – By default, logs in CloudWatch Logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between one day and 10 years.
+ **Archiving and storing logs** – You can use CloudWatch Logs to store your log data in highly durable storage. The CloudWatch Logs agent sends both rotated and non-rotated log data into the log service. You can then access the raw log data when you need it.
# Application logging and monitoring using VPC Flow Logs
[VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) is a feature of Amazon Virtual Private Cloud (Amazon VPC) that helps you capture information about the IP traffic going to and from network interfaces in your VPC.
## Using VPC Flow Logs
You can create a flow log for a virtual private cloud (VPC), a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored. For more information, see [Work with flow logs](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html) (Amazon VPC documentation).
Flow log data for a monitored network interface is recorded as flow log records. A *flow log record* represents a network flow in your VPC. By default, each record captures a network IP traffic flow that occurs within an aggregation interval. Each record is a string with fields separated by spaces. A record includes values for the different components of the IP flow, for example, the source, destination, and protocol. When you create a flow log, you can use the default format for the flow log record, or you can specify a custom format. For more information, see [Flow log record examples](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html) (Amazon VPC documentation).
Flow logs don't capture the following information:
+ Traffic generated by instances when they contact the Amazon Domain Name System (DNS) server. If you use your own DNS server, then all traffic to that DNS server is logged.
+ Traffic generated by a Windows instance for Amazon Windows license activation.
+ Traffic to and from `254.169.254`, for instance metadata.
+ Traffic to and from `254.169.123`, for the Amazon Time Sync Service.
+ Dynamic Host Configuration Protocol (DHCP) traffic.
+ Traffic to the reserved IP address for the default VPC router.
+ Traffic between an endpoint network interface and a Network Load Balancer network interface.
Flow log data can be published to several AWS services, including Amazon CloudWatch Logs. After you create a flow log, you can retrieve and view the flow log records in CloudWatch Logs in the log group that you configure. For more information, see [Publish flow logs to CloudWatch Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html) (Amazon VPC documentation).
Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.
## Use cases for VPC Flow Logs
+ Diagnose overly restrictive security group rules
+ Monitor the traffic that is reaching your application instance
+ Determine the direction of the traffic
# Application logging and monitoring using AWS X-Ray
[AWS X-Ray](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html) collects data about requests that your application serves, and it helps you view, filter, and gain insights into that data to identify issues and opportunities for optimization.
## Using X-Ray
AWS X-Ray receives traces from your application and, if they're integrated with X-Ray, from the AWS services that your application uses. X-Ray samples and visualizes requests on a [service graph](https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-servicegraph) when they flow through your application components. X-Ray generates trace identifiers so that you can correlate a request when it flows through multiple components, which helps you view the request from end to end. You can further enhance this by including annotations and metadata to help uniquely search for and identify the characteristics of a request.
We recommend that you configure each server or endpoint in your application with X-Ray. X-Ray is implemented in your application code by making calls to the X-Ray service. X-Ray also provides AWS SDKs for multiple languages, including instrumented clients that automatically send data to X-Ray. The X-Ray SDKs provide patches to common libraries used for making calls to other services (for example, HTTP, MySQL, PostgreSQL, or MongoDB).
For more information, see [Tracing applications with AWS X-Ray](https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/application-tracing-xray.html) (AWS Prescriptive Guidance).
## Use cases for X-Ray
+ **Application analysis and debug** – Trace data can help you debug the application by providing an end-to-end view of the request so that you can identify bottlenecks and troubleshoot issues. The X-Ray [service map](https://docs.aws.amazon.com/xray/latest/devguide/xray-console-servicemap.html) is a visual tool that helps you identify where errors are occurring, connections with high latency, or traces for unsuccessful requests.
+ **Performance analytics** – The [Analytics console](https://docs.aws.amazon.com/xray/latest/devguide/xray-console-analytics.html) is an interactive tool for interpreting trace data to quickly understand how your application and its underlying services are performing. The console helps you explore, analyze, and visualize traces. You can also compare trace sets with different conditions, for root cause analysis.