Analyzing Logs with AWS Services: A Study Guide
Analyze logs by using AWS services (for example, Athena, CloudWatch Logs Insights, Amazon OpenSearch Service)
Analyzing Logs with AWS Services
This study guide covers the core AWS services used to aggregate, process, and analyze log data for operational health, security auditing, and performance optimization.
Learning Objectives
After studying this guide, you should be able to:
- Differentiate between Amazon CloudWatch, Amazon Athena, and Amazon OpenSearch Service for log analysis.
- Identify the correct service for analyzing CloudTrail API calls and VPC Flow Logs.
- Explain the role of AWS Glue and Amazon EMR in processing unstructured or large-scale log volumes.
- Utilize SQL and Natural Language queries to extract insights from log streams.
Key Terms & Glossary
- Serialization/Deserialization: The process of converting data from a readable format (text) to a compressed storage format (binary) and back again.
- Log Group: A group of log streams that share the same retention, monitoring, and access control settings in CloudWatch.
- PII (Personally Identifiable Information): Sensitive data that must be identified (e.g., using Amazon Macie) and potentially masked during log processing.
- Hot Data: Data that is frequently accessed and stored on high-performance storage (used primarily in Amazon OpenSearch Service).
- Anomaly Detection: Using baselines to identify deviations in API call volumes or error rates (e.g., CloudTrail Insights).
The "Big Idea"
In a distributed cloud environment, logs are the "source of truth" for both security and operations. The core challenge is not just collecting logs, but normalizing diverse formats (application logs, system logs, API traces) so they can be queried at scale. AWS provides a tiered approach: CloudWatch for real-time monitoring, Athena for cost-effective SQL analysis on S3, and OpenSearch for complex, full-text interactive analytics.
Formula / Concept Box
| Feature | CloudWatch Logs Insights | Amazon Athena | Amazon OpenSearch Service |
|---|---|---|---|
| Data Source | CloudWatch Log Groups | Amazon S3 | OpenSearch Cluster (Hot Data) |
| Query Language | Specialized Query Syntax | Standard SQL | DSL / SQL / Lucene |
| Primary Use | Operational Troubleshooting | Compliance / Long-term Audit | Interactive Analytics / Search |
| Setup Effort | Zero (Managed) | Low (Define Schema) | Medium (Manage Cluster) |
Hierarchical Outline
- 1. Native Logging Services
- Amazon CloudWatch: Centralized store for application and AWS service logs. Includes alarms and dashboards.
- AWS CloudTrail: Records API activity across the AWS account for governance and auditing.
- 2. Interactive Analysis Tools
- CloudWatch Logs Insights: Interactive querying of logs; supports natural language query generation and field auto-detection.
- Amazon Athena: Serverless SQL queries on log data stored in S3 (VPC Flow Logs, CloudTrail, S3 Access Logs).
- 3. Advanced Analytics & Visualization
- Amazon OpenSearch Service: Distributed engine for log analytics, security intelligence, and full-text search.
- Amazon Managed Grafana: Visualization tool to analyze metrics, logs, and traces across multiple AWS sources.
- 4. Log Processing Pipelines
- AWS Glue / Amazon EMR: Used for terabyte-scale logs or custom formats that require transformation before analysis.
Visual Anchors
Log Analysis Flowchart
Architecture: Log Ingestion and Processing
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=3cm, minimum height=1cm, align=center}] \node (source) {Log Sources$Apps, Services)}; \node (s3) [right of=source, xshift=3cm] {Amazon S3$Raw Logs)}; \node (glue) [below of=s3] {AWS Glue / EMR$Transform)}; \node (athena) [right of=s3, xshift=3cm] {Amazon Athena$SQL Query)};
\draw[->, thick] (source) -- (s3);
\draw[->, thick] (s3) -- (glue);
\draw[->, thick] (glue) -- (s3) node[midway, left] {Parquet};
\draw[->, thick] (s3) -- (athena);\end{tikzpicture}
Definition-Example Pairs
- CloudTrail Insights: Continuously analyzes management events to baseline API call volumes.
- Example: An alert is triggered when the
RunInstancesAPI call volume spikes 300% above the normal baseline, indicating a potential security breach or script error.
- Example: An alert is triggered when the
- VPC Flow Logs: Captures information about the IP traffic to and from network interfaces in a VPC.
- Example: Using Athena to query Flow Logs to identify which specific IP addresses are being rejected by security group rules.
- System Tables (Redshift): Internal tables used to monitor data warehouse performance.
- Example: Querying
STL_QUERY_METRICSto find the CPU usage and disk I/O of a specific long-running financial report.
- Example: Querying
Worked Examples
Example 1: CloudWatch Logs Insights Query
To find the number of errors per 5-minute bin in an application log:
fields @timestamp, @message
| filter @message like /Error/
| stats count(*) as errorCount by bin(5m)
| sort errorCount descExample 2: Querying CloudTrail Logs in Athena
If CloudTrail logs are stored in S3, you can use SQL to find who deleted a specific S3 bucket:
SELECT eventTime, userIdentity.arn, sourceIPAddress
FROM cloudtrail_logs
WHERE eventName = 'DeleteBucket'
AND requestParameters LIKE '%my-target-bucket-name%'
ORDER BY eventTime DESC;Checkpoint Questions
- Which service allows you to use natural language to generate queries for log data?
- If you have terabytes of unstructured custom logs, which two services are recommended for processing them into a queryable format?
- What is the main difference between Amazon Kendra and Amazon OpenSearch Service regarding query types?
- How long does it typically take for VPC Flow Logs to appear in a CloudWatch Log Group after configuration?
Comparison Tables
| Use Case | Recommended Service | Why? |
|---|---|---|
| Finding specific API errors | CloudTrail Insights | Automatically baselines "normal" and flags anomalies. |
| Full-text search in logs | OpenSearch Service | Built on Apache Lucene; optimized for string matching and indexing. |
| Ad-hoc SQL on S3 files | Amazon Athena | Serverless; pay-per-query; no infrastructure to manage. |
| Debugging Lambda code | CloudWatch Logs | Native integration; Lambda automatically streams stdout/stderr here. |
Muddy Points & Cross-Refs
- Athena vs. OpenSearch: Use Athena for cost-effective, occasional analysis of massive datasets (Data Lake). Use OpenSearch for frequent, interactive dashboarding and sub-second search latency (Hot data).
- Glue vs. EMR: Both use Spark. Use AWS Glue for serverless, event-driven ETL. Use Amazon EMR for long-running, complex clusters where you need granular control over the Spark environment.
- Serialization Pitfall: Remember that Athena requires a defined schema (DML). If your logs change format, the query might fail unless you update the Glue Data Catalog or use JSON extraction functions.
[!TIP] When analyzing logs for the exam, always look for the keyword "SQL" (Athena), "Real-time/Dashboard" (OpenSearch), or "API/Audit" (CloudTrail).