Hi there, I log messages to Cloudwatch (using winston’s Console transport). From what I read in the docs, I assumed I can create a handler that will run on every Cloudwatch log message. Is that possible?
And if yes, what will the event payload actually be, i.e. what is passed to my function? I cannot find a definition anywhere in the docs.
Update: I indeed managed to subscribe to Cloudwatch Logs. However, the payload of these logs is encrypted, and decrypting them seems to be too big of a hassle for what I want to achieve…
We had the same problem to tackle. It was surprisingly hard to find documentation describing the schema of the Cloudwatch Logs payload.
The payload is a JSON object, but it is base64 encoded and compressed. Here’s roughly what our handler looks like:
exports.handler = (event, context, callback) => {
const payload = Buffer.from(event.awslogs.data, 'base64');
zlib.gunzip(payload, (error, result) => {
if (error) {
callback(error);
return;
}
try {
const logChunk = JSON.parse(result);
uploadToScanner(logChunk);
} catch (ex) {
console.error(ex.message);
callback(ex.message);
}
});
};
The logChunk JSON payload looks something like this once it has been base64 decoded and decompressed:
{
"logStream": "2022/08/04/[$LATEST]0c37853aec804fef9c66a7066844ba68"
"logGroup": "/aws/lambda/YourFunctionName",
"logEvents": [
{
"timestamp": "2022-08-04T15:51:05.680-07:00",
"message": "START RequestId: 03b34220-9917-47da-9dd3-c3e24ad95457 Version: $LATEST",
},
// ...
]
}
1 Like
Wow, this is gold, thank you so much!
1 Like