Reading Your CloudTrail Log Files
This topic describes options for retrieving and viewing your CloudTrail log files.
Retrieving your log files
CloudTrail log files are Amazon S3 objects. You can retrieve them by using the Amazon S3 console, the AWS command line interface (CLI), or the Amazon S3 API. For more information, see Working with Amazon S3 Objects in the Amazon Simple Storage Service Developer Guide. The Amazon Simple Storage Service Console User Guide covers using the console to retrieve your objects. For example, open the Amazon S3 console, click on the name of the bucket in which you're interested, and keep clicking through the object hierarchy until you get to the log file you're looking for. All log files have a .gz extension.
Viewing your log files
For example, if you use Mozilla Firefox, you can also download the JSONView add-on. With JSONView, you can double-click the compressed .gz file in your Amazon S3 bucket to open the log file in JSON format. There is no comparable extension for Internet Explorer, but there is a registry edit you can make to enable Internet Explorer to open JSON files after you download and decompress them.
An alternate approach to viewing your CloudTrail logs on Windows is to download them locally and use a text editor such as Notepad++ along with the JSON Viewer plug-in. To download a log file, right-click on the file in your Amazon S3 bucket and right-click Download in the pop-up window. Click Save link as... and follow the prompts to save the file locally. This saves the file, however, in compressed format. You must use a product such as 7-Zip to extract the uncompressed JSON data. After decompressing the file, open it in Notepad++, select all of the text, and navigate to Plugins, point to JSON Viewer, and then click Format JSON.
For more information about the event fields that can appear in a log file entry, see CloudTrail Event Reference.
AWS partners with third-party specialists in logging and analysis to provide solutions that leverage CloudTrail output. For more information, visit the CloudTrail detail page at http://aws.amazon.com/cloudtrail.
For log files captured during the last seven days, you can use the CloudTrail console, the AWS CLI or the AWS SDKs. For more information, see Viewing Events with CloudTrail API Activity History.