Resources

Processing Real-Time Data with CloudWatch Logs Subscription Filters

July 16, 2024 by OpenObserve Team
cloudwatch logs subscription filter

Introduction to CloudWatch Logs Subscription Filters

Subscription filters in CloudWatch Logs allow you to define a pattern to search for specific log events and forward them to a specified AWS resource in real-time. This enables you to access and process log data as it is generated rather than waiting for logs to accumulate.

Image Credit

How Subscription Filters Work?

Subscription filters work by applying a filter pattern to log events. This pattern is used to match specific log data, such as log messages or event types. When a log event matches the filter pattern, it is forwarded to the specified AWS resource, such as Amazon Kinesis, Data Firehose, or AWS Lambda.

Benefits of Subscription Filters

Subscription filters provide several benefits, including:

  • Real-time Log Access: Subscription filters allow you to access log events as they are generated, enabling real-time monitoring and processing.
  • Customized Log Processing: By defining a filter pattern, you can customize the log data that is forwarded to your AWS resource, ensuring that only relevant data is processed.
  • Scalability: Subscription filters can handle large volumes of log data, making them suitable for high-traffic applications.

Example Use Case

Suppose you have an e-commerce application that generates log events for every order placed. You can use a subscription filter to forward log events that contain specific keywords, such as "order placed" or "payment failed," to an AWS Lambda function for further processing.

Subscription filters in CloudWatch Logs provide a powerful way to access and process log data in real-time. By defining a filter pattern, you can customize the log data that is forwarded to your AWS resource, enabling you to monitor and process log events as they are generated.

In the next section, you will dive deeper into understanding subscription filters.

Understanding Subscription Filters

Subscription filters are essential for delivering a live feed of log events for analysis. They help you filter and forward log events to specific AWS resources, such as Amazon Kinesis, Data Firehose, or AWS Lambda.

Log Group-Level and Account-Level Filters

Subscription filters support both log group-level and account-level filters. Log group-level filters apply to a specific log group, while account-level filters apply to all log groups in your AWS account. Each filter type has specific limits and error-handling measures to ensure reliable data processing.

Log Event Encoding and Compression

Log events are Base64 encoded and compressed in gzip format. This ensures efficient data transmission and reduces storage requirements.

Limitations and Best Practices

  • Filter Limitations: Each log group can have up to two subscription filters associated with it.
  • Best Practices: Use specific filter patterns to avoid overwhelming your AWS resources and ensure efficient data processing.

Subscription filters are a powerful tool for analyzing log events in real-time. By understanding how they work and their limitations, you can effectively use them to deliver a live feed of log events for analysis.

In the next section, you will learn about supported destinations and configurations in Subscription filters in CloudWatch Logs.

Supported Destinations and Configurations

Supported Destinations

Subscription filters support three main destinations:

  • Kinesis Data Streams: For processing and analyzing log events in real-time.
  • Kinesis Data Firehose: For delivering log events to data warehouses, data lakes, and analytics platforms.
  • AWS Lambda: For triggering custom functions and processing log events.

Cross-Account Sharing

Cross-account sharing is limited to Kinesis streams. This means you can share Kinesis streams across different AWS accounts, but not other subscription filter destinations.

Subscription Filter Configuration

To set up a subscription filter, you need to provide the following information:

  • Log Group Name: The name of the log group you want to filter.
  • Filter Pattern: A pattern to match specific log events.
  • Destination ARN: The ARN of the AWS resource you want to forward log events to.
  • IAM Role ARN & Access Policy: The IAM role and access policy are required for the destination.
  • Distribution Method: The method of distributing log events to the destination.

Subscription filters provide flexibility in processing and analyzing log events by supporting various destinations and configurations. By understanding the supported destinations and configuration requirements, you can effectively use subscription filters to meet your log analysis needs.

In the next section, you will learn how to create and manage subscription filters.

Creating and Managing Subscription Filters

Getting Started

To create and manage subscription filters, follow these steps:

  1. Create a Receiving Resource: First, create a receiving resource such as a Kinesis data stream, Kinesis data firehose, or AWS Lambda function.
  2. Define a Subscription Filter: Define a subscription filter for event delivery by specifying the log group, filter pattern, and destination ARN.

Creating and Updating Subscription Filters

To create or update a subscription filter, use the put_subscription_filter command:

bash
aws cloudwatch put-subscription-filter --log-group-name <log-group-name> --filter-name <filter-name> --filter-pattern <filter-pattern> --destination-arn <destination-arn>

Listing and Deleting Subscription Filters

To list all subscription filters for a log group, use the get_paginator command:

bash
aws cloudwatch get-paginator --log-group-name <log-group-name> --paginator-name describe-subscription-filters

To delete a subscription filter, use the delete_subscription_filter command:

bash
aws cloudwatch delete-subscription-filter --log-group-name <log-group-name> --filter-name <filter-name>

Filter and Pattern Syntax

To search and filter log data effectively, use the filter and pattern syntax. For example:

json
{
  "logGroup": "my-log-group",
  "filterPattern": "ERROR"
}

By following these steps and utilizing filter and pattern syntax, you can effectively manage subscription filters.

In the next section, you will learn about some of the best practices and considerations.

Best Practices and Considerations

Calculating Log Data Volume

When setting up subscription filters, it's important to calculate the expected log data volume. Ensure that the destination stream (e.g., Kinesis Data Stream) has enough shards to handle the incoming data and avoid throttling.

Mitigating Throttling

To mitigate throttling, specify a random distribution when creating a subscription filter. This helps distribute the log events across the available shards in the destination stream. Additionally, monitor the stream using CloudWatch metrics to identify and address any throttling issues.

IAM Roles and Permissions

Use IAM roles with specific permissions for CloudWatch Logs to interact with the destination services. This ensures that the subscription filter has the necessary access to forward log events to the specified resource.

Verifying Subscription Filter Setup

Verify the subscription filter setup using appropriate methods for each destination type:

  • Kinesis Data Streams: Consume the stream and validate the received log events.
  • Kinesis Data Firehose: Check the delivery stream and the destination (e.g., S3 bucket) for the forwarded log events.
  • AWS Lambda: Validate the function's execution and the processed log events.

This ensures reliable log event delivery, efficient resource utilization, and proper security measures.

In the next section, you will understand error handling and metrics.

Error Handling and Metrics

Understanding Retry Policies

When errors occur in log data delivery, it's essential to understand the retry policies in place. This ensures that log events are not lost and that the delivery process is efficient.

Monitoring Log Forwarding Operations

Monitor log forwarding operations using CloudWatch metrics to ensure efficiency and identify any issues. This includes metrics such as:

  • Delivery Delay: The time it takes for log events to be delivered to the destination.
  • Delivery Failure: The number of log events that fail to be delivered.
  • Throttling: The rate at which log events are being delivered to the destination.

Effective error handling and monitoring are crucial for ensuring reliable log data delivery.

In the next section, you will learn about real-time processing and analysis.

Real-Time Processing and Analysis

Analyzing Real-Time Data

Real-time processing and analysis allow you to analyze data as it is generated, enabling you to make timely decisions and react to changes in your application. This includes analyzing real-time data for alerts and business logic directly within coding logs.

Enhancing Development Efficiency

Real-time processing and analysis also enhance development efficiency by managing alert mechanisms through code logs. This ensures that you are notified of any issues or errors in real-time, allowing you to address them promptly.

Examples of Real-Time Log Processing

Here are some examples of utilizing subscription filters for real-time log processing and insights:

  • Error Detection: Use subscription filters to detect errors in real-time and trigger alerts or notifications.
  • Performance Monitoring: Monitor application performance in real-time by analyzing log data and identifying bottlenecks.
  • Security Monitoring: Use subscription filters to monitor security-related log data and detect potential security threats.

Real-time processing and analysis are essential for ensuring the efficiency and reliability of your application. By utilizing subscription filters and analyzing real-time data, you can identify issues and make timely decisions.

Real-time processing and analysis are crucial for gaining insights from your log data as it's generated. However, CloudWatch Logs alone doesn't offer advanced analytics capabilities. OpenObserve provides a powerful platform specifically designed for analyzing and searching log data in real-time. Get started with OpenObserve today and unlock the full potential of your CloudWatch Logs data!

In the final section, you will see the impact of using subscription filters on pricing and their limits.

Pricing and Limits

Pricing

Implementing subscription filters in AWS CloudWatch Logs does not incur any additional costs. The charges you'll encounter are related to the data logging and ingestion into CloudWatch Logs, which are based on the volume of log data.

Limits

AWS CloudWatch Logs supports two types of subscription filters:

  1. Account-level Filters: These filters apply to all log groups within your AWS account. There is a limit of 20 account-level filters per account.
  2. Log Group-level Filters: These filters apply to a specific log group. Each log group can have up to two log group-level filters associated with it.

It's crucial to understand these limits when configuring your subscription filters to ensure efficient and effective log data processing.

Subscription filters in AWS CloudWatch Logs are a cost-effective way to process and analyze log data in real-time. While there are no additional charges for implementing subscription filters, it's important to be aware of the account-level and log group-level limits to ensure your configuration meets your requirements.

While CloudWatch Logs subscription filters are a cost-effective solution, they lack built-in functionalities for advanced log data analysis. OpenObserve goes beyond the limitations of CloudWatch Logs by offering a comprehensive suite of features for real-time log analytics. Sign up for a free trial of OpenObserve and experience the power of in-depth log analysis.

How Can OpenObserve Help

OpenObserve can help in processing real-time data with CloudWatch Logs subscription filters by providing a platform for analyzing and searching log data. Here are the steps to follow:

1. Get OpenObserve Cloud/OpenObserve Credentials:

  • Navigate to the OpenObserve dashboard.
  • Click on "Ingestion" and then "Kinesis Firehose"
  • Obtain the credentials needed for the next step.

2. Configure Kinesis Firehose:

  • Log in to the AWS Management Console.
  • Go to Kinesis Firehose.
  • Click "Create delivery stream".
  • Choose the source as "Direct PUT" and the destination as "HTTP Endpoint".
  • Give the stream a name and enter the HTTP endpoint URL from the previous step.

3. Set up IAM Policy and Role for CloudWatch to Send Logs to Kinesis Firehose:

  • Create an IAM role with the necessary permissions.
  • Associate the permissions policy with the role.

4. Set up CloudWatch Subscription Filter to Send Logs to Kinesis Firehose:

  • Navigate to the CloudWatch dashboard.
  • Select the log group you want to send to OpenObserve.
  • Click the "Actions" dropdown menu and select "Subscription filters > Create Kinesis Firehose Subscription Filter".
  • Choose the destination as the Kinesis Firehose stream and the IAM role created earlier.
  • Click "Start streaming".

5. Monitor and Analyze CloudWatch Logs in OpenObserve:

  • Navigate to the OpenObserve UI.
  • Select the "cloudwatch" stream.
  • Use the query editor to search for logs as usual.
  • Build a new dashboard for your log data.
  • Set up alerts and notifications for potential issues in your AWS environment.

By following these steps, you can use OpenObserve to analyze and search your real-time log data from CloudWatch Logs subscription filters.

Integrating OpenObserve with CloudWatch Logs is a breeze. Get your OpenObserve credentials in just a few clicks and proceed to the next step! Open an OpenObserve account today to unlock seamless CloudWatch Logs integration

Conclusion

This guide explores CloudWatch Logs subscription filters, a powerful tool for analyzing log data in real-time. OpenObserve offers a platform for analyzing and searching log data delivered by CloudWatch Logs subscription filters.

Subscription filters are a valuable tool for unlocking real-time insights from your CloudWatch Logs. By implementing them effectively and understanding their limitations, you can gain valuable insights into your applications and optimize their performance.

Build dashboards, set up alerts, and proactively monitor your AWS environment for potential issues. Start your free OpenObserve trial and experience the power of real-time log data monitoring!

Resources & Bibliography:

  1. https://openobserve.ai/docs/howto/ingest_cloudwatch_logs/
  2. https://www.linkedin.com/showcase/openobserve-for-enterprises/
  3. https://www.linkedin.com/posts/openobserve-for-enterprises_ingest-amazon-cloudwatch-logs-in-openobserve-activity-7172953994296745984-OHj9
  4. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html
  5. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_OpenSearch_Stream.html
  6. OpenObserve Documentation
  7. OpenObserve - GitHub
  8. OpenObserve - Youtube
  9. We are OpenObserve
  10. OpenObserve Review: The Ultimate Open-Source Platform

Author:

authorImage

The OpenObserve Team comprises dedicated professionals committed to revolutionizing system observability through their innovative platform, OpenObserve. Dedicated to streamlining data observation and system monitoring, offering high performance and cost-effective solutions for diverse use cases.

OpenObserve Inc. © 2024