Amazon CloudWatch Logs
User Guide

Create a Subscription Filter

After you create a destination, you can share the destination ARN (arn:aws:logs:us-east-1:123456789012:destination:testDestination) with other cross-account users so that they can send you their log events. The cross-account users then create a subscription filter on their respective log groups against this destination. The subscription filter immediately starts the flow of real-time log data from the chosen log group to the specified destination.

In the following example, a subscription filter is associated with a log group containing AWS CloudTrail events so that every logged activity made by "Root" AWS credentials delivered to the destination you created above that encapsulates an Amazon Kinesis stream called "RootAccess". For more information about how to send AWS CloudTrail events to CloudWatch Logs, see Sending CloudTrail Events to CloudWatch Logs in the AWS CloudTrail User Guide.

aws logs put-subscription-filter \
    --log-group-name "CloudTrail" \
    --filter-name "RootAccess" \
    --filter-pattern "{$.userIdentity.type = Root}" \
    --destination-arn "arn:aws:logs:us-east-1:123456789012:destination:testDestination"


Unlike the subscriptions example Real-time Processing of Log Data with Subscriptions, in this example you did not have to provide a role-arn. This is because role-arn is needed for impersonation while writing to an Amazon Kinesis stream, which has already been provided by the destination owner while creating destination.