Lambda@Edge logs CloudFront Functions logs

Edge function logs

You can use Amazon CloudWatch Logs to get logs for your edge functions, both Lambda@Edge and CloudFront Functions. Access the logs using the CloudWatch console or the CloudWatch Logs API.

Important

We recommend that you use the logs to understand the nature of the requests for your content, not as a complete accounting of all requests. CloudFront delivers edge function logs on a best-effort basis. The log entry for a particular request might be delivered long after the request was actually processed and, in rare cases, a log entry might not be delivered at all. When a log entry is omitted from edge function logs, the number of entries in the edge function logs won't match the usage that appears in the AWS billing and usage reports.

Lambda@Edge logs

Lambda@Edge automatically sends function logs to CloudWatch Logs, creating log streams in the AWS Regions where the functions are run. The log group name is formatted as /aws/lambda/us-east-1.function-name, where function-name is the name that you gave to the function when you created it, and us-east-1 is the Region code for the AWS Region where the function ran.

Note

Lambda@Edge throttles logs based on the request volume and the size of logs.

You must review CloudWatch log files in the correct AWS Region to see your Lambda@Edge function log files. To see the Regions where your Lambda@Edge function is running, view graphs of metrics for the function in the CloudFront console. Metrics are displayed for each AWS Region. On the same page, you can choose a Region and then view log files for that Region to investigate issues.

To learn more about how to use CloudWatch Logs with Lambda@Edge functions, see the following:

For more information about viewing graphs in the Monitoring section of the CloudFront console, see Monitoring CloudFront metrics with Amazon CloudWatch.
For information about the permissions required to send data to CloudWatch Logs, see Setting IAM permissions and roles for Lambda@Edge.
For information about adding logging to a Lambda@Edge function, see AWS Lambda function logging in Node.js or AWS Lambda function logging in Python in the AWS Lambda Developer Guide.
For information about CloudWatch Logs quotas (formerly known as limits), see CloudWatch Logs quotas in the Amazon CloudWatch Logs User Guide.

CloudFront Functions logs

If a CloudFront function's code contains console.log() statements, CloudFront Functions automatically sends these log lines to CloudWatch Logs. If there are no console.log() statements, nothing is sent to CloudWatch Logs.

CloudFront Functions always creates log streams in the US East (N. Virginia) Region (us-east-1), no matter which edge location ran the function. The log group name is in the format /aws/cloudfront/function/FunctionName, where FunctionName is the name that you gave to the function when you created it. The log stream name is in the format YYYY/M/D/UUID.

The following shows an example log message sent to CloudWatch Logs. Each line begins with an ID that uniquely identifies a CloudFront request. The message begins with a START line that includes the CloudFront distribution ID, and ends with an END line. Between the START and END lines are the log lines generated by console.log() statements in the function.


U7b4hR_RaxMADupvKAvr8_m9gsGXvioUggLV5Oyq-vmAtH8HADpjhw== START DistributionID: E3E5D42GADAXZZ
U7b4hR_RaxMADupvKAvr8_m9gsGXvioUggLV5Oyq-vmAtH8HADpjhw== Example function log output
U7b4hR_RaxMADupvKAvr8_m9gsGXvioUggLV5Oyq-vmAtH8HADpjhw== END

Note

CloudFront Functions sends logs to CloudWatch only for functions in the LIVE stage that run in response to production requests and responses. When you test a function, CloudFront doesn't send any logs to CloudWatch. The test output contains information about errors, compute utilization, and function logs (console.log() statements), but this information is not sent to CloudWatch.

CloudFront Functions uses an AWS Identity and Access Management (IAM) service-linked role to send logs to CloudWatch Logs in your account. A service-linked role is an IAM role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all of the permissions that the service requires to call other AWS services on your behalf. CloudFront Functions uses a service-linked role called AWSServiceRoleForCloudFrontLogger. For more information about this role, see Service-linked roles for Lambda@Edge (Lambda@Edge uses the same service-linked role).

When a function fails with a validation error or an execution error, information is logged in CloudFront's standard logs and real-time logs. Information about the error is logged in the x-edge-result-type, x-edge-response-result-type, and x-edge-detailed-result-type fields.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Real-time logs

Capturing API requests with CloudTrail