Syntax Properties Return values Examples

AWS::Logs::SubscriptionFilter

The AWS::Logs::SubscriptionFilter resource specifies a subscription filter and associates it with the specified log group. Subscription filters allow you to subscribe to a real-time stream of log events and have them delivered to a specific destination. Currently, the supported destinations are:

An Amazon Kinesis data stream belonging to the same account as the subscription filter, for same-account delivery.
A logical destination that belongs to a different account, for cross-account delivery.
An Amazon Kinesis Firehose delivery stream that belongs to the same account as the subscription filter, for same-account delivery.
An AWS Lambda function that belongs to the same account as the subscription filter, for same-account delivery.

There can only be one subscription filter associated with a log group.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::Logs::SubscriptionFilter",
  "Properties" : {
      "DestinationArn" : String,
      "FilterPattern" : String,
      "LogGroupName" : String,
      "RoleArn" : String
    }
}

YAML


Type: AWS::Logs::SubscriptionFilter
Properties: 
  DestinationArn: String
  FilterPattern: String
  LogGroupName: String
  RoleArn: String

Properties

DestinationArn

The Amazon Resource Name (ARN) of the destination.

Required: Yes

Type: String

Minimum: 1

Update requires: Replacement

FilterPattern

The filtering expressions that restrict what gets delivered to the destination AWS resource. For more information about the filter pattern syntax, see Filter and Pattern Syntax.

Required: Yes

Type: String

Update requires: Replacement

LogGroupName

The log group to associate with the subscription filter. All log events that are uploaded to this log group are filtered and delivered to the specified AWS resource if the filter pattern matches the log events.

Required: Yes

Type: String

Minimum: 1

Maximum: 512

Pattern: [\.\-_/#A-Za-z0-9]+

Update requires: Replacement

RoleArn

The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream. You don't need to provide the ARN when you are working with a logical destination for cross-account delivery.

Required: No

Type: String

Minimum: 1

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.

For more information about using the Ref function, see Ref.

Examples

Create a Subscription Filter

The following example sends log events that are associated with the Root user to a Kinesis data stream.

JSON


"SubscriptionFilter" : {
  "Type" : "AWS::Logs::SubscriptionFilter",
  "Properties" : {
    "RoleArn" : { "Fn::GetAtt" : [ "CloudWatchIAMRole", "Arn" ] },
    "LogGroupName" : { "Ref" : "LogGroup" },
    "FilterPattern" : "{$.userIdentity.type = Root}",
    "DestinationArn" : { "Fn::GetAtt" : [ "KinesisStream", "Arn" ] }
  }
}

YAML


SubscriptionFilter: 
  Type: AWS::Logs::SubscriptionFilter
  Properties: 
    RoleArn: 
      Fn::GetAtt: 
        - "CloudWatchIAMRole"
        - "Arn"
    LogGroupName: 
      Ref: "LogGroup"
    FilterPattern: "{$.userIdentity.type = Root}"
    DestinationArn: 
      Fn::GetAtt: 
        - "KinesisStream"
        - "Arn"

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

MetricTransformation