Why are my Amazon ECS container logs not delivered to Amazon CloudWatch Logs?

Last updated: 2022-03-09

I can't find my Amazon Elastic Container Service (Amazon ECS) task's container logs in Amazon CloudWatch Logs.

Short description

Your Amazon ECS container logs aren't delivered to CloudWatch Logs due to one or more of the following reasons:

  • The awslogs log driver is not configured correctly in your Amazon ECS task definitions.
  • The AWS Identity and Access Management (IAM) role doesn't have the required permissions.
  • There are issues with your networking configuration.
  • The log level for the container is not configured correctly.

Resolution

The awslogs log driver is not configured properly

  • To send the container log information to CloudWatch Logs, you must configure the containers in your tasks correctly. Be sure that you configured the logConfiguration parameter correctly when you define the parameters for our container. If your Amazon ECS task definition involves multiple containers, then you must configure this parameter for each container.
  • Be sure that you added the awslogs log driver to the logConfiguration parameter in your task definition.
  • For Amazon Elastic Compute Cloud (Amazon EC2) launch type, perform these additional checks:
    • Be sure that your Amazon ECS container instance includes at least version 1.9.0 of the container agent. For information about checking your agent version and updating to the latest version, see Updating the Amazon ECS container agent.
    • If you aren't using the Amazon ECS-optimized AMI for your container instances, then be sure that the awslogs log driver is specified on the container instance when you start the agent using the following environment variable. For more information, see Installing the Amazon ECS container agent.
ECS_AVAILABLE_LOGGING_DRIVERS='["json-file","awslogs"]'

The IAM role doesn't have the required permissions

  • Be sure the IAM role for your Amazon ECS container instance has logs:CreateLogStream and logs:PutLogEvents permissions.
  • For Fargate launch type, use the Amazon ECS task execution IAM role with logs:CreateLogStream and logs:PutLogEvents permissions. For more information, see Amazon ECS task execution IAM role.
  • For Amazon EC2 launch type, check the following:
    • If you are not using Amazon ECS task execution IAM role in your task definition, be sure that logs:CreateLogStream and logs:PutLogEvents permissions are granted on the IAM role used by your container instance.
    • If you're using the Amazon ECS task execution IAM role, be sure that the value of the container agent parameter ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE is set to true.
      Note: When you use the Amazon ECS-optimized AMI with version 1.16.0 -1 or later of the ecs-init package, the default value of this parameter is true. On Windows, the default value of this parameter false. For more information, see Amazon ECS container agent configuration.

There are issues with your network configuration

If your Amazon Virtual Private Cloud (Amazon VPC) doesn't have an internet gateway, and your tasks use the awslogs log driver to send log information to CloudWatch Logs, then be sure that you created an interface Amazon VPC endpoint for CloudWatch Logs. For more information, see Using CloudWatch Logs with interface VPC endpoints.

The log level for the container is not configured correctly

The awslogs log driver simply passes the container logs that are the STDOUT and STDERR I/O streams from Docker to CloudWatch Logs. Therefore, verify that your application sends the logs to STDOUT and STDERR I/O streams. Be sure to set the correct log level for your application during the container build. Depending on your application, you might set the log level through an environment variable or a configuration file.