Skip to main content

Collect Amazon CloudWatch Logs using a Lambda Function

The following instructions tell you to how download and configure an AWS Lambda function for Amazon CloudWatch Logs and send then to Sumo Logic.

important

We strongly recommend the alternative collection process described on Amazon CloudWatch Logs, which uses a CloudFormation template. Unlike the collection process described on this page, the alternative Amazon CloudWatch Logs collection method compresses log data before sending it to Sumo Logic, and provides for more robust failure handling. In addition, the data format generated by the method described on this page might be incompatible with some applications in the App catalog and thus requires customization of those apps.

Add a Hosted Collector and HTTP Source

  1. In Sumo Logic, configure a Hosted Collector.
  2. In Sumo Logic, configure an HTTP Source.
note

When you configure the HTTP Source, make sure to save the HTTP Source Address URL. You will need this to configure the Lambda Function.  

Create Lambda function

Sumo provides a Lambda function for use with Amazon Web Services (AWS). It collects AWS Lambda logs using CloudWatch Logs and it extracts and adds a RequestId field to each log line to make correlation easier. 

To add an Amazon Lambda function:

  1. Sign into the AWS Management Console.

  2. Click Lambda in the Compute section.

  3. On the AWS Lambda page, click Create a Function

  4. On the Blueprints page, enter sumologic in the search field, and click the search icon.

  5. Select sumologic-process-logs. The Create Function page appears.

  6. In the Basic information section:

    lambda4.png

    • Name. Enter a name for the function.
    • Role. Choose one of the following options:
      • Choose an existing role. If you have any appropriate roles, you can select one.
      • Create new role from template(s). If you select this option, you can continue without choosing any policy templates—it will create a role with basic Lambda execution privileges by default.
    • Role Name. Enter a name for the role.
    • Policy templates. If you selected **Create new role from template(s) above, you can leave this blank. 
  7. In the cloudwatch-logs section, you can create a trigger now, or click Remove if you prefer to create it later. To create the trigger:

    trigger.png

    • Log Group. Select the log group that serves as the event source. Events sent to the log source will trigger your Lambda function. 
    • Filter Name. Enter a filter name.
    • Filter Pattern. May be left blank. For information about AWS filter patterns, see Filter and Pattern Syntax in AWS help.
    • Enable trigger—Check the box to enable the trigger immediately. 
  8. On the Environment Variables page, create a environment variable named SUMO_ENDPOINT. Set the value of the variable to the URL of the HTTP source to which your logs will be sent. In addition, you can set any of the following optional variables:

    lambda6.png

    • ENCODING (Optional)—Encoding to use when decoding CloudWatch log events. Default is utf-1.
    • SOURCE_CATEGORY_OVERRIDE (Optional)—Override _sourceCategory value configured for the HTTP source.
    • SOURCE_HOST_OVERRIDE (Optional)—Override _sourceHost value configured for the HTTP source.
    • SOURCE_NAME_OVERRIDE (Optional)—Override _sourceName value configured for the HTTP source.
  9. Click Create Function.

Create a CloudWatch Log Group

You will need at least one CloudWatch Log Group to assign to your Lambda function. For details on how to create a CloudWatch Log Group, see create a CloudWatch Log Group.

Assign CloudWatch Log Groups to Your Lambda Function

  1. Go to the Triggers tab of your Lambda function.
  2. Select Add Trigger.
  3. In the Add Trigger prompt, click the box as instructed and select CloudWatch Logs from the drop-down menu.
  4. Select a** **CloudWatch Log Group to add to your function. You need at least one CloudWatch Log Group to see this option. For details on creating a log group, see create a CloudWatch Log Group.
  5. Add a Filter Name to your trigger.
  6. (Optional) you can add a Filter Pattern to your trigger. For information about AWS filter patterns, see Filter and Pattern Syntax in AWS documentation 
  7. Click Enable Trigger.
  8. Click Submit to add the trigger to your Lambda function.
note

If you have more than one CloudWatch Log Group to assign to your Lambda function, repeat the above steps for each Log Group.