Using CloudWatch Logs with AWS Batch
You can configure your AWS Batch jobs on EC2 resources to send detailed log information and metrics to CloudWatch Logs. Doing this, you can view different logs from your jobs in one convenient location. For more information about CloudWatch Logs, see What is Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.
By default, CloudWatch Logs is turned on for AWS Fargate containers.
To turn on and customize CloudWatch Logs logging, review the following one-time configuration tasks:
-
For AWS Batch compute environments that are based on EC2 resources, add an IAM policy to the
ecsInstanceRolerole. For more information, see Add a CloudWatch Logs IAM policy. -
Create an Amazon EC2 launch template that includes detailed CloudWatch monitoring, then specify the template when you create your AWS Batch compute environment. You can also install the CloudWatch agent on an existing image and then specify the image in the AWS Batch first-run wizard.
-
(Optional) Configure the awslogs driver. You can add parameters that change the default behavior on both EC2 and Fargate resources. For more information, see Using the awslogs log driver.
Add a CloudWatch Logs IAM policy
Before your jobs can send log data and detailed metrics to CloudWatch Logs, you must create an IAM
policy that uses the CloudWatch Logs APIs. After you create the IAM policy, attach it to the
ecsInstanceRole role.
If the ECS-CloudWatchLogs policy isn't attached to the
ecsInstanceRole role, basic metrics can still be sent to CloudWatch Logs. However, the
basic metrics don't include log data or detailed metrics such as free disk space.
AWS Batch compute environments use Amazon EC2 resources. When you create a compute environment
using the AWS Batch first-run wizard, AWS Batch creates the ecsInstanceRole role and
configures the environment with it.
If you aren't using the first-run wizard, you can specify the ecsInstanceRole
role when you create a compute environment in the AWS Command Line Interface or AWS Batch API. For more
information, see the AWS CLI Command Reference or AWS Batch API
Reference.
To create the ECS-CloudWatchLogs IAM policy
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
Choose JSON, then enter the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] } -
Choose Next: Tags.
-
(Optional) For Add tags, choose Add tag to add a tag to the policy.
-
Choose Next: Review.
-
On the Review policy page, for Name, enter
ECS-CloudWatchLogs, and then enter an optional Description. -
Choose Create policy.
To attach the ECS-CloudWatchLogs policy to ecsInstanceRole
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Choose
ecsInstanceRole. If the role doesn't exist, follow the procedures in Amazon ECS instance role to create the role. -
Choose Add Permissions, then choose Attach policies.
-
Choose the ECS-CloudWatchLogs policy and then choose Attach policy.
Install and configure the CloudWatch agent
You can create an Amazon EC2 launch template that includes CloudWatch monitoring. For more information, see Launch an instance from a launch template and Advanced details in the Amazon EC2 User Guide for Linux Instances.
You can also install the CloudWatch agent on an existing Amazon EC2 AMI and then specify the image in the AWS Batch first-run wizard. For more information, see Installing the CloudWatch agent and Getting Started with AWS Batch.
Launch templates are not supported on AWS Fargate resources.
View CloudWatch Logs
You can view and search CloudWatch Logs logs in the AWS Management Console.
It might take a few minutes for data to display in CloudWatch Logs.
To view your CloudWatch Logs data
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the left navigation pane, choose Logs, then choose Log groups.
-
Choose a log group to view.
-
Choose a log stream to view. By default, the streams are identified by the first 200 characters of the job name and the Amazon ECS task ID.
