Deploy this integration to simultaneously ship logs from multiple AWS accounts to Logz.io.
This integration uses two types of accounts:
- Landing account, which receives logs from your multiple AWS accounts and sends them to Logz.io.
- Sending accounts, which send logs from your AWS services to the landing account.
The integration creates the following resources:
- Kinesis stream, which receives logs from multiple AWS accounts.
- Destination, which encapsulates the stream and allows to send the logs to it.
- Lambda function, which uses the Kinesis stream as a trigger, and sends the logs to Logz.io
- Additional Destinations (if required) for each region you need to ship logs from.
- Subscription filters, which send the logs from Cloudwatch to the Destination of the landing account.
Before you begin, you'll need:
- Your AWS service publishes logs to Cloudwatch.
- Your log group is in the format:
/<<AWS-PARTITION>>/<<SERVICE-NAME>>/<<NAME>>
, for example:/aws/lambda/my_function
. - AWS CLI
Click the button that matches the region you'd like to deploy your main stack to:
Keep the default settings in the Create stack screen and select Next.
Specify the stack details as per the table below and select Next.
Parameter | Description | Required / Defaults |
---|---|---|
AccountsArns |
Comma-delimited list (no spaces) of all ARNs involved in this integration. This includes ARNs of the landing account and the accounts you'd like to send logs from. The ARNs should be specified as follows: arn:aws:logs:*:<<ACCOUNT_NUMBER>>:* . For example, if our landing account is 123, and we also want to send logs from account 456, we'll insert: arn:aws:logs:*:123:*,arn:aws:logs:*:456:* |
Required |
KinesisStreamBatchSize |
The largest number of records that will be read from your stream at once. | Default: 100 |
LogzioCOMPRESS |
If true, the Lambda will send compressed logs. If false, the Lambda will send uncompressed logs. | Default: true |
LogzioREGION |
Two-letter region code, or blank for US East (Northern Virginia). This determines your listener URL (where you're shipping the logs to) and API URL. You can find your region code in the Regions and URLs here. | Default: us |
LogzioTOKEN |
The token of the account you want to ship to. Can be found here. | Required |
SendingAccounts |
Comma-delimited list (no spaces) of account numbers of the accounts you'd like to send logs from. Each account number should be wrapped in double-quotes. The numbers should be specified as follows: "1234","5678","9012" |
Required |
If required, specify the Key and Value parameters for the Tags and select Next.
Confirm that you acknowledge that AWS CloudFormation might create IAM resources, IAM resources with custom names, may require CAPABILITY_AUTO_EXPAND
and select Create stack.
6. Create a stack to deploy destinations in the landing account on each region you need to send logs from
Note: This procedure is only required if you need to send logs from regions that are different to the region that the main stack is deployed in.
Click the button that matches the region you'd like to deploy your destination stack to:
Keep the default settings in the Create stack screen and select Next.
Specify the stack details as per the table below and select Next.
Parameter | Description |
---|---|
RoleArn |
The ARN of the Role created in the main stack. You can find it in the main stack's Outputs tab, under LogzioCrossAccountRole |
KinesisStreamArn |
The ARN of the Kinesis Stream created in the main stack. You can find it in the main stack's Outputs tab, under LogzioCrossAccountKinesisStreamArn. |
SendingAccounts |
Comma-delimited list (no spaces) of account numbers of the accounts you'd like to send logs from. Each account number should be wrapped in double-quotes. The numbers should be specified as follows: "1234","5678","9012" |
If required, specify the Key and Value parameters for the Tags and select Next.
Confirm that you acknowledge that AWS CloudFormation might create IAM resources, IAM resources with custom names, may require CAPABILITY_AUTO_EXPAND
and select Create stack.
Note: You need to create a subscription filter in each sending account separately, for each service the you want to send logs from.
- Make sure your AWS CLI is connected to the account you want to send logs from.
- Make sure you have set the CLI to the region of the account that you need to send logs from.
- Run the following command:
aws logs put-subscription-filter \
--log-group-name "<<LOG-GROUP-NAME>>" \
--filter-name "<<SUBSCRIPTION-FILTER-NAME>>" \
--filter-pattern " " \
--destination-arn "<<DESTINATION-ARN>>"
- Replace
<<LOG-GROUP-NAME>>
with the name of the log group you want to collect logs from. - Replace
<<SUBSCRIPTION-FILTER-NAME>>
with the name of the subscription filter you create. - Replace
<<DESTINATION-ARN>>
with the ARN of the destination that matches the region of the sending account that you want to ship logs from. For example, if the log stream is inus-west-2
, then they should use the arn of the Destination that's inus-west-2
. You can find the ARN in the main stack's Outputs tab.
In your Terraform configuration, add the following:
resource "aws_cloudwatch_log_subscription_filter" "subscription_filter" {
name = "<<SUBSCRIPTION-FILTER-NAME>>"
log_group_name = "<<LOG-GROUP-NAME>>"
filter_pattern = " "
destination_arn = "<<DESTINATION-ARN>>"
}
- Replace
<<LOG-GROUP-NAME>>
with the name of the log group you want to collect logs from. - Replace
<<SUBSCRIPTION-FILTER-NAME>>
with the name of the subscription filter you create. - Replace
<<DESTINATION-ARN>>
with the ARN of the destination that matches the region of the sending account that you want to ship logs from. For example, if the log stream is inus-west-2
, then they should use the arn of the Destination that's inus-west-2
. You can find the ARN in the main stack's Outputs tab.
Tip: If you create the log group and the subscription filter at the same time, add a depends_on
field to the subscription filter and make it dependent on the log group, so that the log group will be created first.
Give your logs some time to get from your system to ours, and then open Kibana.
Note: If your log group is not under the required format, the logs will arrive under the default type aws-cross-account
. Otherwise, the type will be the service you sent the logs from.
If you need to add more accounts to an existing integration, you can update the deployed stacks as follows.
In your AWS Console, go to Cloudformation, choose your main stack and select Update.
Choose Use current template and select Next.
- Add new ARNs to
AccountsArns
. The ARNs should be specified as follows:arn:aws:logs:*:<<ACCOUNT_NUMBER>>:*,arn:aws:logs:*:<<ACCOUNT_NUMBER>>:*,arn:aws:logs:*:<<ACCOUNT_NUMBER>>:*
. - Add new account numbers to
SendingAccounts
. The numbers should be specified as follows:"1234","5678","9012"
.
Note: Do not overwrite existing values..
If required, specify the Key and Value parameters for the Tags and select Next.
Confirm that you acknowledge that AWS CloudFormation might create IAM resources, IAM resources with custom names, may require CAPABILITY_AUTO_EXPAND
and select Create stack.
In your AWS Console, go to Cloudformation, choose your destinations stack and select Update.
Choose Use current template and select Next.
- Add new account numbers to
SendingAccounts
. The numbers should be specified as follows:"1234","5678","9012"
.
Note: Do not overwrite existing values.
If required, specify the Key and Value parameters for the Tags and select Next.
Confirm that you acknowledge that AWS CloudFormation might create IAM resources, IAM resources with custom names, may require CAPABILITY_AUTO_EXPAND
and select Create stack.
- 0.0.1: Initial release.