Why isn't the unified CloudWatch agent pushing log events?

Last updated: 2019-10-15

I'm using the unified CloudWatch agent to push logs to Amazon CloudWatch Logs. However, I can't see the logs in the CloudWatch Logs console. How do I troubleshoot why the unified CloudWatch agent isn't pushing log events?

Short Description

The following issues can prevent the unified CloudWatch agent from pushing log events:

  • Failure to connect to the CloudWatch Logs endpoint
  • Incorrect account, Region, or log group configurations
  • Insufficient AWS Identity and Access Management (IAM) permissions
  • CloudWatch agent run errors

Resolution

Test connectivity to your CloudWatch Logs endpoint

Test connectivity to the CloudWatch Logs endpoint using either of the following commands:

telnet logs.<region>.amazonaws.com 443
nc -zv logs.<region>.amazonaws.com 443

If you encounter connectivity failures, be sure that:

  • The security group and network access control list (ACL) rules allow connectivity
  • Your instance can reach the public endpoint using an internet gateway or a network address translation (NAT) gateway
  • If you're using VPC endpoints, the endpoint resolves to a VPC IP and the endpoint security group allows access from the source instance

Review your account, Region, and log group configurations

In the CloudWatch agent configuration file:

  • Be sure that the specified Region matches the console Region
  • Verify that logs are checked in the correct account

Optionally, you can use the common-config.toml file to override system defaults for the CloudWatch agent, including the proxy, Region, and credential information for the agent. The file is available in the following locations.

Linux:

/opt/aws/amazon-cloudwatch-agent/etc/common-config.toml or /etc/amazon/amazon-cloudwatch-agent/common-config.toml

Windows:

$Env:ProgramData\Amazon\AmazonCloudWatchAgent\common-config.toml

Check your IAM permissions

Confirm that your source includes the following IAM permissions:

"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"

Add any missing IAM permissions to the user policy or the role policy.

Note: It's a best practice to create IAM users and roles with CloudWatchAgentServerPolicy and CloudWatchAgentAdminPolicy policies created by Amazon rather than custom policies.

Resolve any CloudWatch agent run errors

Verify that the CloudWatch agent is running. If the agent isn't running, check the log file for errors and resolve them. Log files are located in the following locations.

Linux:

/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log

Windows:

$Env:ProgramData\Amazon\AmazonCloudWatchAgent\Logs\amazon-cloudwatch-agent.log

Logs might also be in a custom logfile location specified in your agent configuration file.

Note: Check for log event timestamps that older than 14 days or that are more than two hours in the future. PutLogEvents doesn't allow log batches in either of these time frames.


Did this article help you?

Anything we could improve?


Need more help?