Cloudwatch Log Event

Hi there, I log messages to Cloudwatch (using winston’s Console transport). From what I read in the docs, I assumed I can create a handler that will run on every Cloudwatch log message. Is that possible?

And if yes, what will the event payload actually be, i.e. what is passed to my function? I cannot find a definition anywhere in the docs.

Update: I indeed managed to subscribe to Cloudwatch Logs. However, the payload of these logs is encrypted, and decrypting them seems to be too big of a hassle for what I want to achieve…

We had the same problem to tackle. It was surprisingly hard to find documentation describing the schema of the Cloudwatch Logs payload.

The payload is a JSON object, but it is base64 encoded and compressed. Here’s roughly what our handler looks like:

exports.handler = (event, context, callback) => {
  const payload = Buffer.from(event.awslogs.data, 'base64');

  zlib.gunzip(payload, (error, result) => {
    if (error) {
      callback(error);
      return;
    }
    try {
      const logChunk = JSON.parse(result);
      uploadToScanner(logChunk);
    } catch (ex) {
      console.error(ex.message);
      callback(ex.message);
    }
  });
};

The logChunk JSON payload looks something like this once it has been base64 decoded and decompressed:

{
  "logStream": "2022/08/04/[$LATEST]0c37853aec804fef9c66a7066844ba68"
  "logGroup": "/aws/lambda/YourFunctionName",
  "logEvents": [
    { 
      "timestamp": "2022-08-04T15:51:05.680-07:00",
      "message": "START RequestId: 03b34220-9917-47da-9dd3-c3e24ad95457 Version: $LATEST",
    },
    // ...
  ]
}
1 Like

Wow, this is gold, thank you so much!

1 Like