Sumo Logic and Cloudwatch logs not working with querying source

0
votes

I'm trying to ingest Cloudwatch logs in Sumo Logic. It works for metrics but not for logs. When I try to perform a log search querying

_sourceCategory=aws/cloudwatch

nothing is retrieved.

If I do the same in metrics, it works. So the issue seems to be with the logs.

Here's the context and how I set it up

First I created a role with their template. But since it wasn't working I add an open permission to AWS Cloudwatch and AWS Logs (top of actions):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:*",
                "cloudwatch:*",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "tag:GetResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Then, I used the wizard to set up streaming data. It didn't appear AWS CloudWatch Logs, but it appeared AWS CloudWatch Metrics. (Could be this related to my issue?)

For source category: aws/cloudwatch Regions: us-east-1

Namespaces to include: AWS/Logs AWS/Lambda

In role, I pasted the ARN of the role created previously.

As I said previously, I can use the metrics and query by metrics, but not query logs. I'm new with both, AWS and Sumo and I don't know what am I missing.

I will appreciate advice.

1
amazon-web-servicesamazon-cloudwatchsumologic
help.sumologic.com/03Send-Data/Collect-from-Other-Data-Sources/… should helpGrzegorz Oledzki

1 Answers

0
votes

If you used the wizard, then it makes sense you only get the metrics. Collecting CloudWatch logs is done differently. You will need a Lambda Function to push the logs to Sumo Logic. Sumo Logic cannot pull CloudWatch logs directly.

Grzegorz attached the link to the documentation for collecting CloudWatch logs.