AWS Cloudwatch Filter and Pattern Syntax

Question

I'm following the instructions here https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

but it's not working as i'm expecting it to.

I currently have the following cloudwatch log subscription filter pattern: ? "UNKNOWN_TOPIC_OR_PARTITION" ? " SEVERE " ? " severe " ? " FATAL " ? " fatal " - "closing session"

I would like to match any patter with " fatal " whilst excluding "closing session" from the results.

However, the above filter is matching other log output:

Answer 1

You can't with event filter in CloudWatch... but you can with Logs Insights

CloudWatch -> CloudWatch Logs -> Logs Insights

Or

CloudWatch -> CloudWatch Logs -> Log groups -> [your service logs] -> [Button Logs Insights]

Logs Insights

1. Log service (you need to pick what logs of your services will to track
2. In this part you can select the range of time.
3. Here you have your querybox and here you can put querys like an SQL

So in your case you can with this in the query box

fields @timestamp, @message
| sort @timestamp desc
| filter @message like /SEVERE|severe|FATAL|fatal|closing session/ 

Now click on run query and you will see only logs that you want with that filters.

Answer 2

Try this Filter pattern:

[(w1="*UNKNOWN_TOPIC_OR_PARTITION*" || w1="*SEVERE*" || w1="*severe*" || w1="*FATAL*" || w1="*fatal*") && w1!="*closing session*"]