Problem writing Lambda logs to CloudWatch, what could be wrong?
up vote
0
down vote
favorite
I'm with some problems trying to write my Lambda function logs to CloudWatch Logs. It seems it is not a problem of authorization as you can see below:
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvent
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${FunctionName}:*
I've tried a broader policy as well with arn:aws:logs:*:*:* as resource like some examples I found.
The template works fine on CloudFormation and the resources are created as appropriate, when I execute the lambda function as test everything works fine, but the logs are not written. It creates the log group and the log stream, but nothing is inside the log stream.
This is not a problem with the Lambda function as well. I deployed the function manually before creating the template and the CloudWatch Logs works fine in this case. I copied the role and policy exactly as it is written in the manual approach to create the template.
Is it some kind of known bug in CloudFormation/SAM/Lambda? Or am I doing something wrong I didn't notice?
Please tell me if you need more information to understand the context. Thanks!
aws-lambda amazon-cloudformation amazon-cloudwatchlogs aws-sam
edited Nov 18 at 17:04
marc_s
566k12610921245
asked Nov 18 at 14:06
leonardo.teteo
4326
|
show 1 more comment
up vote
0
down vote
favorite
I'm with some problems trying to write my Lambda function logs to CloudWatch Logs. It seems it is not a problem of authorization as you can see below:
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvent
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${FunctionName}:*
I've tried a broader policy as well with arn:aws:logs:*:*:* as resource like some examples I found.
The template works fine on CloudFormation and the resources are created as appropriate, when I execute the lambda function as test everything works fine, but the logs are not written. It creates the log group and the log stream, but nothing is inside the log stream.
This is not a problem with the Lambda function as well. I deployed the function manually before creating the template and the CloudWatch Logs works fine in this case. I copied the role and policy exactly as it is written in the manual approach to create the template.
Is it some kind of known bug in CloudFormation/SAM/Lambda? Or am I doing something wrong I didn't notice?
Please tell me if you need more information to understand the context. Thanks!
aws-lambda amazon-cloudformation amazon-cloudwatchlogs aws-sam
edited Nov 18 at 17:04
marc_s
566k12610921245
asked Nov 18 at 14:06
leonardo.teteo
4326
Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do.
– Mrk Fldig
Nov 18 at 19:50
Thank you for the answer @MrkFldig . I do have, here is the link. Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log.
– leonardo.teteo
Nov 19 at 2:02
So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: docs.aws.amazon.com/lambda/latest/dg/… - try the system.out method OR prove what I'm saying change an info statement to error.
– Mrk Fldig
Nov 19 at 19:45
The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation.
– leonardo.teteo
Nov 19 at 23:14
Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch?
– K Mo
Nov 20 at 16:08
|
show 1 more comment
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm with some problems trying to write my Lambda function logs to CloudWatch Logs. It seems it is not a problem of authorization as you can see below:
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvent
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${FunctionName}:*
I've tried a broader policy as well with arn:aws:logs:*:*:* as resource like some examples I found.
The template works fine on CloudFormation and the resources are created as appropriate, when I execute the lambda function as test everything works fine, but the logs are not written. It creates the log group and the log stream, but nothing is inside the log stream.
This is not a problem with the Lambda function as well. I deployed the function manually before creating the template and the CloudWatch Logs works fine in this case. I copied the role and policy exactly as it is written in the manual approach to create the template.
Is it some kind of known bug in CloudFormation/SAM/Lambda? Or am I doing something wrong I didn't notice?
Please tell me if you need more information to understand the context. Thanks!
aws-lambda amazon-cloudformation amazon-cloudwatchlogs aws-sam
edited Nov 18 at 17:04
marc_s
566k12610921245
asked Nov 18 at 14:06
leonardo.teteo
4326
I'm with some problems trying to write my Lambda function logs to CloudWatch Logs. It seems it is not a problem of authorization as you can see below:
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvent
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${FunctionName}:*
I've tried a broader policy as well with arn:aws:logs:*:*:* as resource like some examples I found.
The template works fine on CloudFormation and the resources are created as appropriate, when I execute the lambda function as test everything works fine, but the logs are not written. It creates the log group and the log stream, but nothing is inside the log stream.
This is not a problem with the Lambda function as well. I deployed the function manually before creating the template and the CloudWatch Logs works fine in this case. I copied the role and policy exactly as it is written in the manual approach to create the template.
Is it some kind of known bug in CloudFormation/SAM/Lambda? Or am I doing something wrong I didn't notice?
Please tell me if you need more information to understand the context. Thanks!
aws-lambda amazon-cloudformation amazon-cloudwatchlogs aws-sam
aws-lambda amazon-cloudformation amazon-cloudwatchlogs aws-sam
edited Nov 18 at 17:04
marc_s
566k12610921245
asked Nov 18 at 14:06
leonardo.teteo
4326
edited Nov 18 at 17:04
marc_s
566k12610921245
asked Nov 18 at 14:06
leonardo.teteo
4326
edited Nov 18 at 17:04
marc_s
566k12610921245
edited Nov 18 at 17:04
marc_s
566k12610921245
edited Nov 18 at 17:04
marc_s
566k12610921245
566k12610921245
asked Nov 18 at 14:06
leonardo.teteo
4326
asked Nov 18 at 14:06
leonardo.teteo
4326
asked Nov 18 at 14:06
leonardo.teteo
4326
4326
Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do.
– Mrk Fldig
Nov 18 at 19:50
Thank you for the answer @MrkFldig . I do have, here is the link. Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log.
– leonardo.teteo
Nov 19 at 2:02
So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: docs.aws.amazon.com/lambda/latest/dg/… - try the system.out method OR prove what I'm saying change an info statement to error.
– Mrk Fldig
Nov 19 at 19:45
The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation.
– leonardo.teteo
Nov 19 at 23:14
Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch?
– K Mo
Nov 20 at 16:08
|
show 1 more comment
Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do.
– Mrk Fldig
Nov 18 at 19:50
Thank you for the answer @MrkFldig . I do have, here is the link. Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log.
– leonardo.teteo
Nov 19 at 2:02
So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: docs.aws.amazon.com/lambda/latest/dg/… - try the system.out method OR prove what I'm saying change an info statement to error.
– Mrk Fldig
Nov 19 at 19:45
The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation.
– leonardo.teteo
Nov 19 at 23:14
Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch?
– K Mo
Nov 20 at 16:08
Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do.
– Mrk Fldig
Nov 18 at 19:50
Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do.
– Mrk Fldig
Nov 18 at 19:50
Thank you for the answer @MrkFldig . I do have, here is the link. Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log.
– leonardo.teteo
Nov 19 at 2:02
Thank you for the answer @MrkFldig . I do have, here is the link. Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log.
– leonardo.teteo
Nov 19 at 2:02
So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: docs.aws.amazon.com/lambda/latest/dg/… - try the system.out method OR prove what I'm saying change an info statement to error.
– Mrk Fldig
Nov 19 at 19:45
So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: docs.aws.amazon.com/lambda/latest/dg/… - try the system.out method OR prove what I'm saying change an info statement to error.
– Mrk Fldig
Nov 19 at 19:45
The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation.
– leonardo.teteo
Nov 19 at 23:14
The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation.
– leonardo.teteo
Nov 19 at 23:14
Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch?
– K Mo
Nov 20 at 16:08
Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch?
– K Mo
Nov 20 at 16:08
|
show 1 more comment
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
In the end I was able to solve the problem but removing the CloudWatch Logs permissions from the policy I wrote and using the Manage Policy from AWS:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
With that the logs were wrote to the LogGroup normally.
answered 14 hours ago
leonardo.teteo
4326
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
In the end I was able to solve the problem but removing the CloudWatch Logs permissions from the policy I wrote and using the Manage Policy from AWS:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
With that the logs were wrote to the LogGroup normally.
answered 14 hours ago
leonardo.teteo
4326
add a comment |
up vote
0
down vote
accepted
In the end I was able to solve the problem but removing the CloudWatch Logs permissions from the policy I wrote and using the Manage Policy from AWS:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
With that the logs were wrote to the LogGroup normally.
answered 14 hours ago
leonardo.teteo
4326
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
In the end I was able to solve the problem but removing the CloudWatch Logs permissions from the policy I wrote and using the Manage Policy from AWS:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
With that the logs were wrote to the LogGroup normally.
answered 14 hours ago
leonardo.teteo
4326
In the end I was able to solve the problem but removing the CloudWatch Logs permissions from the policy I wrote and using the Manage Policy from AWS:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
With that the logs were wrote to the LogGroup normally.
answered 14 hours ago
leonardo.teteo
4326
answered 14 hours ago
leonardo.teteo
4326
answered 14 hours ago
leonardo.teteo
4326
answered 14 hours ago
leonardo.teteo
4326
4326
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53361764%2fproblem-writing-lambda-logs-to-cloudwatch-what-could-be-wrong%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do.
– Mrk Fldig
Nov 18 at 19:50
Thank you for the answer @MrkFldig . I do have, here is the link. Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log.
– leonardo.teteo
Nov 19 at 2:02
So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: docs.aws.amazon.com/lambda/latest/dg/… - try the system.out method OR prove what I'm saying change an info statement to error.
– Mrk Fldig
Nov 19 at 19:45
The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation.
– leonardo.teteo
Nov 19 at 23:14
Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch?
– K Mo
Nov 20 at 16:08