Skip to content

Instantly share code, notes, and snippets.

@trevorwhitney

trevorwhitney/cloudwatch_logs.md

Created January 14, 2020 18:56
Show Gist options
  • Save trevorwhitney/9912d39d827f9af3a3dcf5708ddfe6a8 to your computer and use it in GitHub Desktop.
Save trevorwhitney/9912d39d827f9af3a3dcf5708ddfe6a8 to your computer and use it in GitHub Desktop.
Download ZIP
Comparison of options to get CloudWatch logs into Sumo logic
Raw
cloudwatch_logs.md
  • Set up a syslog endpoint and modify the logger in our lambdas with an additional appender
    • This will only work for executables we control (ie. we could get lambda logs but not API gateway logs)
    • We could publish to this syslog endpoint locally to test it
    • We could have different syslog endpoints for dev vs prod and could provide the correct address via env vars (I think)
  • Get logs using a collector script
    • Not recommended by sumo logic
    • Best for small data volumes
    • Does not compress logs before sending to sumo logic
    • I don't understand where this script will run, maybe an EC2 instance?
  • Get logs using an Amazon Kinesis stream
    • Community supported alternative
    • Not officially supported by sumo logic
    • Developed before Amazon intoduced the ability to stream CloudWatch logs to AWS Lambda
    • Requires more infrastructure and the integration of more AWS services than using the AWS Lambda based approach
      • Requires an EC2 instance
      • Requires a Kinesis stream
    • The one advantage that this approach offers is increased assurance of delivery because the data is pulled from the queue synchronously, and will retry in case of delivery failure.
    • Sumo logic provides a CloudFormation template to get up and running
      • More complicated CloudFormation than lambda option
    • Configuration is much more complicated, but is probably configurable to specific log groups allowing separation of dev vs. prod
  • Get logs using a lambda function built by sumo logic
    • Recommended by sumo logic
    • Officially supported by sumo logic
    • Compresses logs sent to sumo logic
    • Configurable to receive logs from only specific log groups, so easy to seperate between dev and prod
    • Data delivery failures may result in lost data (there is a dead letter queue, so there is some retrying)
    • Sumo logic provides a CloudFormation template to get up and running
    • Lambda compute time is more expensive than EC2, but this also doesn't require a Kinesis instance
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment