Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CloudWatch Logs Filter case insensitive multiple terms or connected

I'm just trying to create an alarm based on CloudWatch Logs Filter which triggers on multiple terms (or connected, not and) and is case insensitive

Using "error warning" as pattern is not working

I'm looking for filter pattern reacting to all of the following errors and warnings:

ERROR: first sample
Error: second sample
error: third sample
{ ERROR: "fourth sample"}
{type: "error"}
WARNING: SOMETHING BAD!
{ WARNING: "fifth sample"}
like image 742
Manuel Avatar asked Mar 04 '17 18:03

Manuel


People also ask

How do you aggregate CloudWatch logs?

To run a query with an aggregation functionOpen the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ . In the navigation pane, choose Logs, and then choose Logs Insights. In the Select log group(s) drop down, choose one or more log groups to query.

How do I know if CloudWatch logs are encrypted?

By default, the CloudWatch Logs service manages the server-side encryption keys. If you want to manage the keys used for encrypting and decrypting your logs, use customer master keys (CMK) from AWS Key Management Service. For more information, see Encrypt log data in CloudWatch Logs using AWS Key Management Service.


2 Answers

If you need to filter upon some strings you can OR them as follows:

?"String1" ?"String2" 

and so on. Try it.

like image 128
Sach Avatar answered Sep 28 '22 07:09

Sach


Per the AWS Documentation concerning Filter and Pattern Syntax, you cannot use "error warning" to capture an "OR" relationship because:

  • You can specify multiple terms in a metric filter pattern, but all terms must appear in a log event for there to be a match.

Or in other words, CloudWatch Log metric filters expect an "AND" relationship.

Likewise:

  • Metric filters are case sensitive.

So you'll be unable to achieve this with a single filter. You'll need a filter for each case-sensitive permutation of "error" and "warning" that you expect to write to Cloudwatch Logs.

In order to set a single alarm on all of these filters, simply configure each filter to use the same CloudWatch metric. Here's an example from the AWS Console where each of my metric filters are targeted towards my LogMetric/test metric:

AWS Console showing several metric filters using the same CloudWatch metric.

I can then simply create a CloudWatch alarm based on the LogMetric/test metric to alarm on the sum of these distinct metric filters.

like image 29
Anthony Neace Avatar answered Sep 28 '22 05:09

Anthony Neace