Menu
Amazon CloudWatch Logs
User Guide

Create a Subscription Filter

After you create a destination, the log data recipient account can share the destination ARN (arn:aws:logs:us-east-1:999999999999:destination:testDestination) with other AWS accounts so that they can send log events to the same destination. These other sending accounts users then create a subscription filter on their respective log groups against this destination. The subscription filter immediately starts the flow of real-time log data from the chosen log group to the specified destination.

In the following example, a subscription filter is associated with a log group containing AWS CloudTrail events so that every logged activity made by "Root" AWS credentials is delivered to the destination you created above that encapsulates an Kinesis stream called "RecipientStream". For more information about how to send AWS CloudTrail events to CloudWatch Logs, see Sending CloudTrail Events to CloudWatch Logs in the AWS CloudTrail User Guide.

Copy
aws logs put-subscription-filter \ --log-group-name "CloudTrail" \ --filter-name "RecipientStream" \ --filter-pattern "{$.userIdentity.type = Root}" \ --destination-arn "arn:aws:logs:us-east-1:999999999999:destination:testDestination"

The log group and the destination must be in the same AWS region. However, the destination can point to an AWS resource such as a Kinesis stream that is located in a different region.

Note

Unlike the subscriptions example Real-time Processing of Log Data with Subscriptions, in this example you did not have to provide a role-arn. This is because role-arn is needed for impersonation while writing to an Kinesis stream, which has already been provided by the destination owner while creating destination.