Configure logging for WebSocket APIs in API Gateway
You can enable logging to write logs to CloudWatch Logs. There are two types of API logging in CloudWatch: execution logging and access logging. In execution logging, API Gateway manages the CloudWatch Logs. The process includes creating log groups and log streams, and reporting to the log streams any caller's requests and responses.
In access logging, you, as an API developer, want to log who has accessed your API and how the caller accessed
the API. You can create your own log group or choose an existing log group that could be managed by API Gateway. To
specify the access details, you select $context
variables (expressed in a format of your choosing) and choose a log group as the destination.
For instructions on how to set up CloudWatch logging, see Set up CloudWatch API logging using the API Gateway console.
When you specify the Log Format, you can choose which context variables to log. The following variables are supported.
Parameter | Description |
---|---|
$context.apiId |
The identifier API Gateway assigns to your API. |
$context.authorize.error |
The authorization error message. |
$context.authorize.latency |
The authorization latency in ms. |
$context.authorize.status |
The status code returned from an authorization attempt. |
$context.authorizer.error |
The error message returned from an authorizer. |
$context.authorizer.integrationLatency |
The Lambda authorizer latency in ms. |
$context.authorizer.integrationStatus |
The status code returned from a Lambda authorizer. |
$context.authorizer.latency |
The authorizer latency in ms. |
$context.authorizer.requestId |
The AWS endpoint's request ID. |
$context.authorizer.status |
The status code returned from an authorizer. |
$context.authorizer.principalId |
The principal user identification that is associated with the token sent by the client and returned from an API Gateway Lambda authorizer Lambda function. (A Lambda authorizer was formerly known as a custom authorizer.) |
$context.authorizer. |
The stringified value of the specified key-value pair of the
calling |
$context.authenticate.error |
The error message returned from an authentication attempt. |
$context.authenticate.latency |
The authentication latency in ms. |
$context.authenticate.status |
The status code returned from an authentication attempt. |
$context.connectedAt |
The Epoch |
$context.connectionId |
A unique ID for the connection that can be used to make a callback to the client. |
$context.domainName |
A domain name for the WebSocket API. This can be used to make a callback to the client (instead of a hardcoded value). |
$context.error.message |
A string that contains an API Gateway error message. |
$context.error.messageString |
The quoted value of $context.error.message , namely
"$context.error.message" . |
$context.error.responseType |
The error response type. |
$context.error.validationErrorString |
A string that contains a detailed validation error message. |
$context.eventType |
The event type: |
$context.extendedRequestId |
Equivalent to $context.requestId . |
$context.identity.accountId |
The AWS account ID associated with the request. |
$context.identity.apiKey |
The API owner key associated with key-enabled API request. |
$context.identity.apiKeyId |
The API key ID associated with the key-enabled API request |
$context.identity.caller |
The principal identifier of the caller that signed the request. Supported for routes that use IAM authorization. |
$context.identity.cognitoAuthenticationProvider |
A comma-separated list of all the Amazon Cognito authentication providers used by the caller making the request. Available only if the request was signed with Amazon Cognito credentials. For example, for an identity from an Amazon Cognito user pool, For information about the available Amazon Cognito authentication providers, see Using Federated Identities in the Amazon Cognito Developer Guide. |
$context.identity.cognitoAuthenticationType |
The Amazon Cognito authentication type of the caller making the request. Available only if the request
was signed with Amazon Cognito credentials. Possible values include |
$context.identity.cognitoIdentityId |
The Amazon Cognito identity ID of the caller making the request. Available only if the request was signed with Amazon Cognito credentials. |
$context.identity.cognitoIdentityPoolId |
The Amazon Cognito identity pool ID of the caller making the request. Available only if the request was signed with Amazon Cognito credentials. |
$context.identity.principalOrgId |
The AWS organization ID. Supported for routes that use IAM authorization. |
$context.identity.sourceIp |
The source IP address of the TCP connection making the request to API Gateway. |
$context.identity.user |
The principal identifier of the user that will be authorized against resource access. Supported for routes that use IAM authorization. |
$context.identity.userAgent |
The user agent of the API caller. |
$context.identity.userArn |
The Amazon Resource Name (ARN) of the effective user identified after authentication. |
$context.integration.error |
The error message returned from an integration. |
$context.integration.integrationStatus |
For Lambda proxy integration, the status code returned from AWS Lambda, not from the backend Lambda function code. |
$context.integration.latency |
The integration latency in ms. Equivalent to $context.integrationLatency . |
$context.integration.requestId |
The AWS endpoint's request ID. Equivalent to $context.awsEndpointRequestId . |
$context.integration.status |
The status code returned from an integration. For Lambda proxy
integrations, this is the status code that your Lambda function code
returns. Equivalent to $context.integrationStatus . |
$context.integrationLatency |
The integration latency in ms, available for access logging only. |
$context.messageId |
A unique server-side ID for a message. Available only when the
|
$context.requestId |
Same as |
$context.requestTime |
The CLFdd/MMM/yyyy:HH:mm:ss
+-hhmm ). |
$context.requestTimeEpoch |
The Epoch |
$context.routeKey |
The selected route key. |
$context.stage |
The deployment stage of the API call (for example, beta or prod). |
$context.status |
The response status. |
$context.waf.error |
The error message returned from AWS WAF. |
$context.waf.latency |
The AWS WAF latency in ms. |
$context.waf.status |
The status code returned from AWS WAF. |
Examples of some commonly used access log formats are shown in the API Gateway console and are listed as follows.
-
CLF
(Common Log Format): $context.identity.sourceIp $context.identity.caller \ $context.identity.user [$context.requestTime] "$context.eventType $context.routeKey $context.connectionId" \ $context.status $context.requestId
The continuation characters (
\
) are meant as a visual aid. The log format must be a single line. You can add a newline character (\n
) at the end of the log format to include a newline at the end of each log entry. -
JSON
:{ "requestId":"$context.requestId", \ "ip": "$context.identity.sourceIp", \ "caller":"$context.identity.caller", \ "user":"$context.identity.user", \ "requestTime":"$context.requestTime", \ "eventType":"$context.eventType", \ "routeKey":"$context.routeKey", \ "status":"$context.status", \ "connectionId":"$context.connectionId" }
The continuation characters (
\
) are meant as a visual aid. The log format must be a single line. You can add a newline character (\n
) at the end of the log format to include a newline at the end of each log entry. -
XML
:<request id="$context.requestId"> \ <ip>$context.identity.sourceIp</ip> \ <caller>$context.identity.caller</caller> \ <user>$context.identity.user</user> \ <requestTime>$context.requestTime</requestTime> \ <eventType>$context.eventType</eventType> \ <routeKey>$context.routeKey</routeKey> \ <status>$context.status</status> \ <connectionId>$context.connectionId</connectionId> \ </request>
The continuation characters (
\
) are meant as a visual aid. The log format must be a single line. You can add a newline character (\n
) at the end of the log format to include a newline at the end of each log entry. -
CSV
(comma-separated values):$context.identity.sourceIp,$context.identity.caller, \ $context.identity.user,$context.requestTime,$context.eventType, \ $context.routeKey,$context.connectionId,$context.status, \ $context.requestId
The continuation characters (
\
) are meant as a visual aid. The log format must be a single line. You can add a newline character (\n
) at the end of the log format to include a newline at the end of each log entry.