Why isn't the unified CloudWatch agent pushing log events?
Last updated: 2019-10-15
I'm using the unified CloudWatch agent to push logs to Amazon CloudWatch Logs. However, I can't see the logs in the CloudWatch Logs console. How do I troubleshoot why the unified CloudWatch agent isn't pushing log events?
Short Description
The following issues can prevent the unified CloudWatch agent from pushing log events:
- Failure to connect to the CloudWatch Logs endpoint
- Incorrect account, Region, or log group configurations
- Insufficient AWS Identity and Access Management (IAM) permissions
- CloudWatch agent run errors
Resolution
Test connectivity to your CloudWatch Logs endpoint
Test connectivity to the CloudWatch Logs endpoint using either of the following commands:
telnet logs.<region>.amazonaws.com 443
nc -zv logs.<region>.amazonaws.com 443
If you encounter connectivity failures, be sure that:
- The security group and network access control list (ACL) rules allow connectivity
- Your instance can reach the public endpoint using an internet gateway or a network address translation (NAT) gateway
- If you're using VPC endpoints, the endpoint resolves to a VPC IP and the endpoint security group allows access from the source instance
Review your account, Region, and log group configurations
In the CloudWatch agent configuration file:
- Be sure that the specified Region matches the console Region
- Verify that logs are checked in the correct account
Optionally, you can use the common-config.toml file to override system defaults for the CloudWatch agent, including the proxy, Region, and credential information for the agent. The file is available in the following locations.
Linux:
/opt/aws/amazon-cloudwatch-agent/etc/common-config.toml or /etc/amazon/amazon-cloudwatch-agent/common-config.toml
Windows:
$Env:ProgramData\Amazon\AmazonCloudWatchAgent\common-config.toml
Check your IAM permissions
Confirm that your source includes the following IAM permissions:
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
Add any missing IAM permissions to the user policy or the role policy.
Note: It's a best practice to create IAM users and roles with CloudWatchAgentServerPolicy and CloudWatchAgentAdminPolicy policies created by Amazon rather than custom policies.
Resolve any CloudWatch agent run errors
Verify that the CloudWatch agent is running. If the agent isn't running, check the log file for errors and resolve them. Log files are located in the following locations.
Linux:
/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log
Windows:
$Env:ProgramData\Amazon\AmazonCloudWatchAgent\Logs\amazon-cloudwatch-agent.log
Logs might also be in a custom logfile location specified in your agent configuration file.
Note: Check for log event timestamps that older than 14 days or that are more than two hours in the future. PutLogEvents doesn't allow log batches in either of these time frames.
Related Information
Did this article help you?
Anything we could improve?
Need more help?