Amazon API Gateway logs

Observe supports ingesting Amazon API Gateway logs via CloudWatch and the Observe Lambda forwarder.

For access logs: create a CloudWatch log group

API Gateway access logs use a CloudWatch log group. To create one:

  1. Follow the directions at Create a log group in CloudWatch Logs in the AWS documentation.

  2. Note the ARN for this log group, as you will need it in a later step.

Configure API Gateway for logging

Following Setting up CloudWatch logging for a REST API in API Gateway in the AWS documentation, configure logging and grant API Gateway permission to send logs to CloudWatch.

Summary of steps:

To enable API Gateway logging:

API Gateway settings showing the CloudWatch log role ARN configuration
  1. In the IAM console, create an API Gateway role with the AmazonAPIGatewayPushToCloudWatchLogs policy.

  2. In the API Gateway console settings, configure the CloudWatch log role ARN with the ARN of this role.

To configure logging for your API:

API Gateway console showing the Logs/Tracing tab for a stage named prod
  1. In the API Gateway console, navigate to the desired stage of your API and click the Logs/Tracing tab.

  2. In CloudWatch Settings:

    • Enable the desired CloudWatch logs (execution logs).

  3. In Custom Access Logging:

    • Enable access logging by providing the log group ARN and the desired log format.

  4. Click Save Changes

See the AWS documentation for further details.

Install the Observe Lambda forwarder

If needed, install the Observe Lambda forwarder. If you are already using the Lambda forwarder for another source, you do not need to install it again.

Following the instructions at AWS CloudWatch Logs, create a Lambda subscription filter.

As your API handles requests, API Gateway sends execution and access logs to CloudWatch, and then the Observe Lambda forwarder sends them to Observe.