Amazon API Gateway logs

Observe supports ingesting Amazon API Gateway logs through CloudWatch and the Observe Lambda forwarder.

For access logs, create a CloudWatch log group

API Gateway access logs use a CloudWatch log group. To create one, use the following steps:

  1. Follow the directions at Create a log group in CloudWatch Logs in the AWS documentation.

  2. Note the ARN for this log group, as you need it in a later step.

Configure API Gateway for logging

Following the steps in Setting up CloudWatch logging for a REST API in API Gateway in the AWS documentation, configure logging and grant API Gateway permission to send logs to CloudWatch.

Enable API Gateway logging

API Gateway settings showing the CloudWatch log role ARN configuration

Figure 1 - API Gateway settings with CloudWatch ARN

  1. In the IAM console, create an API Gateway role with the AmazonAPIGatewayPushToCloudWatchLogs policy.

  2. In the API Gateway console settings, configure the CloudWatch log role ARN with the ARN of this role.

Configuring logging for your API

API Gateway console showing the Logs/Tracing tab for a stage named prod

Figure 2 - API Gateway console with the Logs/Tracing tab

  1. In the API Gateway console, navigate to the desired stage of your API and choose Logs/Tracing.

  2. In CloudWatch Settings:

    • Enable the desired CloudWatch logs (execution logs).

  3. In Custom Access Logging:

    • Enable access logging by providing the log group ARN and the desired log format.

  4. Click Save Changes.

See the AWS documentation for further details.

Installing the Observe Lambda forwarder

If necessary, install the Observe Lambda forwarder. If you currently use the Lambda forwarder for another source, you do not need to install it again.

Following the instructions at AWS CloudWatch Logs, create a Lambda subscription filter.

As your API handles requests, the API Gateway sends execution and access logs to Amazon CloudWatch, and then the Observe Lambda forwarder sends them to Observe.