AWS CloudFormation
User Guide (Version )

AWS::Logs::SubscriptionFilter

The AWS::Logs::SubscriptionFilter resource specifies a subscription filter and associates it with the specified log group. Subscription filters allow you to subscribe to a real-time stream of log events and have them delivered to a specific destination. Currently, the supported destinations are:

  • An Amazon Kinesis data stream belonging to the same account as the subscription filter, for same-account delivery.

  • A logical destination that belongs to a different account, for cross-account delivery.

  • An Amazon Kinesis Firehose delivery stream that belongs to the same account as the subscription filter, for same-account delivery.

  • An AWS Lambda function that belongs to the same account as the subscription filter, for same-account delivery.

There can only be one subscription filter associated with a log group.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Logs::SubscriptionFilter", "Properties" : { "DestinationArn" : String, "FilterPattern" : String, "LogGroupName" : String, "RoleArn" : String } }

YAML

Type: AWS::Logs::SubscriptionFilter Properties: DestinationArn: String FilterPattern: String LogGroupName: String RoleArn: String

Properties

DestinationArn

The Amazon Resource Name (ARN) of the destination.

Required: Yes

Type: String

Minimum: 1

Update requires: Replacement

FilterPattern

The filtering expressions that restrict what gets delivered to the destination AWS resource. For more information about the filter pattern syntax, see Filter and Pattern Syntax.

Required: Yes

Type: String

Update requires: Replacement

LogGroupName

The log group to associate with the subscription filter. All log events that are uploaded to this log group are filtered and delivered to the specified AWS resource if the filter pattern matches the log events.

Required: Yes

Type: String

Minimum: 1

Maximum: 512

Pattern: [\.\-_/#A-Za-z0-9]+

Update requires: Replacement

RoleArn

The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream.

Required: No

Type: String

Minimum: 1

Update requires: Replacement

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.

For more information about using the Ref function, see Ref.

Examples

Create a Subscription Filter

The following example sends log events that are associated with the Root user to a Kinesis data stream.

JSON

"SubscriptionFilter" : { "Type" : "AWS::Logs::SubscriptionFilter", "Properties" : { "RoleArn" : { "Fn::GetAtt" : [ "CloudWatchIAMRole", "Arn" ] }, "LogGroupName" : { "Ref" : "LogGroup" }, "FilterPattern" : "{$.userIdentity.type = Root}", "DestinationArn" : { "Fn::GetAtt" : [ "KinesisStream", "Arn" ] } } }

YAML

SubscriptionFilter: Type: AWS::Logs::SubscriptionFilter Properties: RoleArn: Fn::GetAtt: - "CloudWatchIAMRole" - "Arn" LogGroupName: Ref: "LogGroup" FilterPattern: "{$.userIdentity.type = Root}" DestinationArn: Fn::GetAtt: - "KinesisStream" - "Arn"