CloudWatch Logs AWS IoT log entries - AWS IoT Core
Message broker log entriesServer certificate OCSP log entriesDevice Shadow log entriesRules engine log entriesJob log entriesDevice provisioning log entriesDynamic thing group log entriesFleet indexing log entriesCommon CloudWatch Logs attributes

CloudWatch Logs AWS IoT log entries

Each component of AWS IoT generates its own log entries. Each log entry has an eventType that specifies the operation that caused the log entry to be generated. This section describes the log entries generated by the following AWS IoT components.

Message broker log entries

The AWS IoT message broker generates log entries for the following events:

Connect log entry

The AWS IoT message broker generates a log entry with an eventType of Connect when an MQTT client connects.

Connect log entry example

{
    "timestamp": "2017-08-10 15:37:23.476",
    "logLevel": "INFO",
    "traceId": "20b23f3f-d7f1-feae-169f-82263394fbdb",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "sourceIp": "205.251.233.181",
    "sourcePort": 13490
}

In addition to the Common CloudWatch Logs attributes, Connect log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

Disconnect log entry

The AWS IoT message broker generates a log entry with an eventType of Disconnect when an MQTT client disconnects.

Disconnect log entry example

{
    "timestamp": "2017-08-10 15:37:23.476",
    "logLevel": "INFO",
    "traceId": "20b23f3f-d7f1-feae-169f-82263394fbdb",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "Disconnect",
    "protocol": "MQTT",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "sourceIp": "205.251.233.181",
    "sourcePort": 13490,
    "reason": "DUPLICATE_CLIENT_ID",
    "details": "A new connection was established with the same client ID",
    "disconnectReason": "CLIENT_INITIATED_DISCONNECT"
}

In addition to the Common CloudWatch Logs attributes, Disconnect log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

reason

The reason why the client is disconnecting.

details

A brief explanation of the error.

disconnectReason

The reason why the client is disconnecting.

DeleteConnection log entry

The AWS IoT message broker generates a log entry with an eventType of DeleteConnection when an MQTT client connection is deleted.

DeleteConnection log entry example

{
    "timestamp": "2025-08-09 15:37:23.476",
    "logLevel": "INFO",
    "traceId": "20b23f3f-d7f1-feae-169f-82263394fbdb",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "DeleteConnection",
    "protocol": "HTTP",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "sourceIp": "205.251.233.181",
    "sourcePort": 13490
}

In addition to the Common CloudWatch Logs attributes, DeleteConnection log entries contain the following attributes:

clientId

The ID of the client that will be disconnected.

principalId

The ID of the principal making the request. For information about how to identify the principal using the principal ID, see Compare IAM identities and credentials in the IAM User Guide.

protocol

The protocol used to make the request. The valid value is HTTP.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

GetRetainedMessage log entry

The AWS IoT message broker generates a log entry with an eventType of GetRetainedMessage when GetRetainedMessage is called.

GetRetainedMessage log entry example

{
    "timestamp": "2017-08-07 18:47:56.664", 
    "logLevel": "INFO", 
    "traceId": "1a60d02e-15b9-605b-7096-a9f584a6ad3f", 
    "accountId": "123456789012", 
    "status": "Success", 
    "eventType": "GetRetainedMessage", 
    "protocol": "HTTP",
    "topicName": "a/b/c",
    "qos": "1",
    "lastModifiedDate": "2017-08-07 18:47:56.664"
}

In addition to the Common CloudWatch Logs attributes, GetRetainedMessage log entries contain the following attributes:

lastModifiedDate

The Epoch date and time, in milliseconds, when the retained message was stored by AWS IoT.

protocol

The protocol used to make the request. Valid value: HTTP.

qos

The Quality of Service (QoS) level used in the publish request. Valid values are 0 or 1.

topicName

The name of the subscribed topic.

ListRetainedMessage log entry

The AWS IoT message broker generates a log entry with an eventType of ListRetainedMessage when ListRetainedMessages is called.

ListRetainedMessage log entry example

{
    "timestamp": "2017-08-07 18:47:56.664", 
    "logLevel": "INFO", 
    "traceId": "1a60d02e-15b9-605b-7096-a9f584a6ad3f", 
    "accountId": "123456789012", 
    "status": "Success", 
    "eventType": "ListRetainedMessage", 
    "protocol": "HTTP"
}

In addition to the Common CloudWatch Logs attributes, ListRetainedMessage log entries contains the following attribute:

protocol

The protocol used to make the request. Valid value: HTTP.

Publish-In log entry

When the AWS IoT message broker receives an MQTT message, it generates a log entry with an eventType of Publish-In.

Publish-In log entry example

{
        "timestamp": "2017-08-10 15:39:30.961",
        "logLevel": "INFO",
        "traceId": "672ec480-31ce-fd8b-b5fb-22e3ac420699",
        "accountId": "123456789012",
        "status": "Success",
        "eventType": "Publish-In",
        "protocol": "MQTT",
        "topicName": "$aws/things/MyThing/shadow/get",
        "clientId": "abf27092886e49a8a5c1922749736453",
        "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
        "sourceIp": "205.251.233.181",
        "sourcePort": 13490,
        "retain": "True"
    }

In addition to the Common CloudWatch Logs attributes, Publish-In log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

retain

The attribute used when a message has the RETAIN flag set with a value of True. If the message doesn't have the RETAIN flag set, this attribute doesn't appear in the log entry. For more information, see MQTT retained messages.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

topicName

The name of the subscribed topic.

Publish-Out log entry

When the message broker publishes an MQTT message, it generates a log entry with an eventType of Publish-Out

Publish-Out log entry example

{
    "timestamp": "2017-08-10 15:39:30.961",
    "logLevel": "INFO",
    "traceId": "672ec480-31ce-fd8b-b5fb-22e3ac420699",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "Publish-Out",
    "protocol": "MQTT",
    "topicName": "$aws/things/MyThing/shadow/get",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "sourceIp": "205.251.233.181",
    "sourcePort": 13490
}

In addition to the Common CloudWatch Logs attributes, Publish-Out log entries contain the following attributes:

clientId

The ID of the subscribed client that receives messages on that MQTT topic.

principalId

The ID of the principal making the request.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

topicName

The name of the subscribed topic.

Queued log entry

When a device with a persistent session is disconnected, the MQTT message broker stores the device's messages and AWS IoT generates log entries with an eventType of Queued. For more information about MQTT persistent sessions, see MQTT persistent sessions.

Queued server error log entry example

{
    "timestamp": "2022-08-10 15:39:30.961",
    "logLevel": "ERROR",
    "traceId": "672ec480-31ce-fd8b-b5fb-22e3ac420699",
    "accountId": "123456789012",
    "topicName": "$aws/things/MyThing/get",
    "clientId": "123123123",
    "qos": "1",
    "protocol": "MQTT",
    "eventType": "Queued",
    "status": "Failure",
    "details": "Server Error"
}

In addition to the Common CloudWatch Logs attributes, Queued server error log entries contain the following attributes:

clientId

The ID of the client to which the message is queued.

details
Server Error

A server error prevented the message from being stored.

protocol

The protocol used to make the request. The value will always be MQTT.

qos

The Quality of Service (QoS) level of the request. The value will always be 1 because the messages with QoS of 0 aren't stored.

topicName

The name of the subscribed topic.

Queued success log entry example

{
    "timestamp": "2022-08-10 15:39:30.961",
    "logLevel": "INFO",
    "traceId": "672ec480-31ce-fd8b-b5fb-22e3ac420699",
    "accountId": "123456789012",
    "topicName": "$aws/things/MyThing/get",
    "clientId": "123123123",
    "qos": "1",
    "protocol": "MQTT",
    "eventType": "Queued",
    "status": "Success"
}

In addition to the Common CloudWatch Logs attributes, Queued success log entries contain the following attributes:

clientId

The ID of the client to which the message is queued.

protocol

The protocol used to make the request. The value will always be MQTT.

qos

The Quality of Service (QoS) level of the request. The value will always be 1 because the messages with QoS of 0 aren't stored.

topicName

The name of the subscribed topic.

Queued throttled log entry example

{
    "timestamp": "2022-08-10 15:39:30.961",
    "logLevel": "ERROR",
    "traceId": "672ec480-31ce-fd8b-b5fb-22e3ac420699",
    "accountId": "123456789012",
    "topicName": "$aws/things/MyThing/get",
    "clientId": "123123123",
    "qos": "1",
    "protocol": "MQTT",
    "eventType": "Queued",
    "status": "Failure",
    "details": "Throttled while queueing offline message"
}

In addition to the Common CloudWatch Logs attributes, Queued throttled log entries contain the following attributes:

clientId

The ID of the client to which the message is queued.

details
Throttled while queueing offline message

The client exceeded the Queued messages per second per account limit, so the message wasn't stored.

protocol

The protocol used to make the request. The value will always be MQTT.

qos

The Quality of Service (QoS) level of the request. The value will always be 1 because the messages with QoS of 0 aren't stored.

topicName

The name of the subscribed topic.

Subscribe log entry

The AWS IoT message broker generates a log entry with an eventType of Subscribe when an MQTT client subscribes to a topic.

MQTT 3 Subscribe log entry example

{
    "timestamp": "2017-08-10 15:39:04.413",
    "logLevel": "INFO",
    "traceId": "7aa5c38d-1b49-3753-15dc-513ce4ab9fa6",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "Subscribe",
    "protocol": "MQTT",
    "topicName": "$aws/things/MyThing/shadow/#",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "sourceIp": "205.251.233.181",
    "sourcePort": 13490
}

In addition to the Common CloudWatch Logs attributes, Subscribe log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

protocol

The protocol used to make the request. The value will always be MQTT.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

topicName

The name of the subscribed topic.

MQTT 5 Subscribe log entry example

{
	"timestamp": "2022-11-30 16:24:15.628",
	"logLevel": "INFO",
	"traceId": "7aa5c38d-1b49-3753-15dc-513ce4ab9fa6",
	"accountId": "123456789012",
	"status": "Success",
	"eventType": "Subscribe",
	"protocol": "MQTT",
	"topicName": "test/topic1,$invalid/reserved/topic",
	"subscriptions": [
		{
			"topicName": "test/topic1",
			"reasonCode": 1
		},
		{
			"topicName": "$invalid/reserved/topic",
			"reasonCode": 143
		}
	],
	"clientId": "abf27092886e49a8a5c1922749736453",
	"principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
	"sourceIp": "205.251.233.181",
	"sourcePort": 13490
}

For MQTT 5 Subscribe operations, in addition to the Common CloudWatch Logs attributes and the MQTT 3 Subscribe log entry attributes, MQTT 5 Subscribe log entries contain the following attribute:

subscriptions

A list of mappings between the requested topics in the Subscribe request and the individual MQTT 5 reason code. For more information, see MQTT reason codes.

Unsubscribe log entry

The AWS IoT message broker generates a log entry with an eventType of Unsubscribe when an MQTT client unsubscribes to an MQTT topic.

MQTT unsubscribe log entry example

{
    "timestamp": "2024-08-20 22:53:32.844",
    "logLevel": "INFO",
    "traceId": "db6bd09a-2c3f-1cd2-27cc-fd6b1ce03b58",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "Unsubscribe",
    "protocol": "MQTT",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "sourceIp": "205.251.233.181",
    "sourcePort": 13490
}

In addition to the Common CloudWatch Logs attributes, Unsubscribe log entries contain the following attributes:

protocol

The protocol used to make the request. The value will always be MQTT.

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

sourceIp

The IP address where the request originated.

sourcePort

The port where the request originated.

Server certificate OCSP log entries

AWS IoT Core generates log entries for the following event:

RetrieveOCSPStapleData log entry

AWS IoT Core generates a log entry with an eventType of RetrieveOCSPStapleData when the server retrieves the OCSP staple data.

RetrieveOCSPStapleData log entry examples

The following is a log entry example of Success.

{
	"timestamp": "2024-01-30 15:39:30.961",
	"logLevel": "INFO",
	"traceId": "180532b7-0cc7-057b-687a-5ca1824838f5",
	"accountId": "123456789012",
	"status": "Success",
	"eventType": "RetrieveOCSPStapleData",
	"domainConfigName": "test-domain-config-name",
	"connectionDetails": {
		"httpStatusCode": "200",
		"ocspResponderUri": "http://ocsp.example.com",
		"sourceIp": "205.251.233.181",
		"targetIp": "250.15.5.3"
	},
	"ocspRequestDetails": {
		"requesterName": "iot.amazonaws.com",
		"requestCertId": "30:3A:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:9C:FF:90:A1:97:B0:4D:6C:01:B9:69:96:D8:3E:E7:A2:51:7F:30:C4:04:14:7C:84:78:AE:12:58:71:38:0C:65:FC:17:77:7D:14:DD:69:73:71:46:02:01:01"
	},
	"ocspResponseDetails": {
		"responseCertId": "30:3A:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:9C:FF:90:A1:97:B0:4D:6C:01:B9:69:96:D8:3E:E7:A2:51:7F:30:C4:04:14:7C:84:78:AE:12:58:71:38:0C:65:FC:17:77:7D:14:DD:69:73:71:46:02:01:01",
		"ocspResponseStatus": "successful",
		"certStatus": "good",
		"signature": "4C:6F:63:61:6C:20:52:65:73:70:6F:6E:64:65:72:20:53:69:67:6E:61:74:75:72:65",
		"thisUpdateTime": "Jan 31 01:21:02 2024 UTC",
		"nextUpdateTime": "Feb 02 00:21:02 2024 UTC",
		"producedAtTime": "Jan 31 01:37:03 2024 UTC",
		"stapledDataPayloadSize": "XXX"
	}
}

The following is a log entry example of Failure.

{
	"timestamp": "2024-01-30 15:39:30.961",
	"logLevel": "ERROR",
	"traceId": "180532b7-0cc7-057b-687a-5ca1824838f5",
	"accountId": "123456789012",
	"status": "Failure",
	"reason": "A non 2xx HTTP response was received from the OCSP responder.",
	"eventType": "RetrieveOCSPStapleData",
	"domainConfigName": "test-domain-config-name",
	"connectionDetails": {
		"httpStatusCode": "444",
		"ocspResponderUri": "http://ocsp.example.com",
		"sourceIp": "205.251.233.181",
		"targetIp": "250.15.5.3"
	},
	"ocspRequestDetails": {
		"requesterName": "iot.amazonaws.com",
		"requestCertId": "30:3A:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:9C:FF:90:A1:97:B0:4D:6C:01:B9:69:96:D8:3E:E7:A2:51:7F:30:C4:04:14:7C:84:78:AE:12:58:71:38:0C:65:FC:17:77:7D:14:DD:69:73:71:46:02:01:01"
	}
}

For the RetrieveOCSPStaple operation, in addition to the Common CloudWatch Logs attributes, the log entries contain the following attributes:

reason

The reason why the operation fails.

domainConfigName

The name of your domain configuration.

connectionDetails

A brief explanation of the connection details.

  • httpStatusCode

    HTTP status codes that are returned by the OCSP responder in response to the client's request made to the server.

  • ocspResponderUri

    The OCSP responder URI that AWS IoT Core fetches from the server certificate.

  • sourceIp

    The source IP address of the AWS IoT Core server.

  • targetIp

    The target IP address of the OCSP responder.

ocspRequestDetails

Details of the OCSP request.

  • requesterName

    The identifier for the AWS IoT Core server that sends a request to the OCSP responder.

  • requestCertId

    The certificate ID of the request. This is the ID of the certificate for which the OCSP response is being requested.

ocspResponseDetails

Details of the OCSP response.

  • responseCertId

    The certificate ID of the OCSP response.

  • ocspResponseStatus

    The status of the OCSP response.

  • certStatus

    The status of the certificate.

  • signature

    The signature that's applied to the response by a trusted entity.

  • thisUpdateTime

    The time at which the status being indicated is known to be correct.

  • nextUpdateTime

    The time at or before which newer information will be available about the status of the certificate.

  • producedAtTime

    The time at which the OCSP responder signed this response.

  • stapledDataPayloadSize

    The payload size of the stapled data.

RetrieveOCSPStapleData log entry for private endpoints

AWS IoT Core generates a log entry with an eventType of RetrieveOCSPStapleData when the server retrieves the OCSP staple data.

RetrieveOCSPStapleData log entry examples for private endpoints

The following is a log entry example of Success.

{
	"timestamp": "2024-01-30 15:39:30.961",
	"logLevel": "INFO",
	"traceId": "180532b7-0cc7-057b-687a-5ca1824838f5",
	"accountId": "123456789012",
	"status": "Success",
	"eventType": "RetrieveOCSPStapleData",
	"domainConfigName": "test-domain-config-name",
        "lambdaDetails": {
        "lambdaArn": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
        "sourceArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/testDomainConfigure/6bzfg"
      },
        "authorizedResponderArn": "arn:aws:acm:us-west-2:123456789012:certificate/certificate_ID",
	"ocspRequestDetails": {
		"requesterName": "iot.amazonaws.com",
		"requestCertId": "30:3A:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:9C:FF:90:A1:97:B0:4D:6C:01:B9:69:96:D8:3E:E7:A2:51:7F:30:C4:04:14:7C:84:78:AE:12:58:71:38:0C:65:FC:17:77:7D:14:DD:69:73:71:46:02:01:01"
	},
	"ocspResponseDetails": {
		"responderId": "04:C1:3F:8F:27:D6:49:13:F8:DE:B2:36:9D:85:8E:F8:31:3B:A6:D0"
               "responseCertId": "30:3A:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:9C:FF:90:A1:97:B0:4D:6C:01:B9:69:96:D8:3E:E7:A2:51:7F:30:C4:04:14:7C:84:78:AE:12:58:71:38:0C:65:FC:17:77:7D:14:DD:69:73:71:46:02:01:01",
		"ocspResponseStatus": "successful",
		"certStatus": "good",
		"signature": "4C:6F:63:61:6C:20:52:65:73:70:6F:6E:64:65:72:20:53:69:67:6E:61:74:75:72:65",
		"thisUpdateTime": "Jan 31 01:21:02 2024 UTC",
		"nextUpdateTime": "Feb 02 00:21:02 2024 UTC",
		"producedAtTime": "Jan 31 01:37:03 2024 UTC",
		"stapledDataPayloadSize": "XXX"
	}
}

The following is a log entry example of Failure.

{
	"timestamp": "2024-01-30 15:39:30.961",
	"logLevel": "ERROR",
	"traceId": "180532b7-0cc7-057b-687a-5ca1824838f5",
	"accountId": "123456789012",
	"status": "Failure",
	"reason": "The payload returned by the Lambda function exceeds the maximum response size of 7 kilobytes.",
	"eventType": "RetrieveOCSPStapleData",
	"domainConfigName": "test-domain-config-name",
        "lambdaDetails": {
        "lambdaArn": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
        "sourceArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/testDomainConfigure/6bzfg"
      },
        "authorizedResponderArn": "arn:aws:acm:us-west-2:123456789012:certificate/certificate_ID",
	 "ocspRequestDetails": {
		"requesterName": "iot.amazonaws.com",
		"requestCertId": "30:3A:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:9C:FF:90:A1:97:B0:4D:6C:01:B9:69:96:D8:3E:E7:A2:51:7F:30:C4:04:14:7C:84:78:AE:12:58:71:38:0C:65:FC:17:77:7D:14:DD:69:73:71:46:02:01:01"
	}
}

For the RetrieveOCSPStaple operation, in addition to the Common CloudWatch Logs attributes and the attributes in RetrieveOCSPStapleData log entry, the log entries for private endpoints contain the following attributes:

lambdaDetails

Details of the Lambda function.

  • lambdaArn

    The ARN of the Lambda function.

  • sourceArn

    The ARN of the domain configuration.

authorizedResponderArn

The ARN of the authorizer responder if there is one configured in the domain configuration.

Device Shadow log entries

The AWS IoT Device Shadow service generates log entries for the following events:

DeleteThingShadow log entry

The Device Shadow service generates a log entry with an eventType of DeleteThingShadow when a request to delete a device's shadow is received.

DeleteThingShadow log entry example

{
    "timestamp": "2017-08-07 18:47:56.664",
    "logLevel": "INFO",
    "traceId": "1a60d02e-15b9-605b-7096-a9f584a6ad3f",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "DeleteThingShadow",
    "protocol": "MQTT",
    "deviceShadowName": "Jack",
    "topicName": "$aws/things/Jack/shadow/delete"
}

In addition to the Common CloudWatch Logs attributes, DeleteThingShadow log entries contain the following attributes:

deviceShadowName

The name of the shadow to update.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The name of the topic on which the request was published.

GetThingShadow log entry

The Device Shadow service generates a log entry with an eventType of GetThingShadow when a get request for a shadow is received.

GetThingShadow log entry example

{
    "timestamp": "2017-08-09 17:56:30.941",
    "logLevel": "INFO",
    "traceId": "b575f19a-97a2-cf72-0ed0-c64a783a2504",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "GetThingShadow",
    "protocol": "MQTT",
    "deviceShadowName": "MyThing",
    "topicName": "$aws/things/MyThing/shadow/get"
}

In addition to the Common CloudWatch Logs attributes, GetThingShadow log entries contain the following attributes:

deviceShadowName

The name of the requested shadow.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The name of the topic on which the request was published.

UpdateThingShadow log entry

The Device Shadow service generates a log entry with an eventType of UpdateThingShadow when a request to update a device's shadow is received.

UpdateThingShadow log entry example

{
    "timestamp": "2017-08-07 18:43:59.436",
    "logLevel": "INFO",
    "traceId": "d0074ba8-0c4b-a400-69df-76326d414c28",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "UpdateThingShadow",
    "protocol": "MQTT",
    "deviceShadowName": "Jack",
    "topicName": "$aws/things/Jack/shadow/update"
}

In addition to the Common CloudWatch Logs attributes, UpdateThingShadow log entries contain the following attributes:

deviceShadowName

The name of the shadow to update.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The name of the topic on which the request was published.

Rules engine log entries

The AWS IoT rules engine generates logs for the following events:

FunctionExecution log entry

The rules engine generates a log entry with an eventType of FunctionExecution when a rule's SQL query calls an external function. An external function is called when a rule's action makes an HTTP request to AWS IoT or another web service (for example, calling get_thing_shadow or machinelearning_predict).

FunctionExecution log entry example

{
    "timestamp": "2017-07-13 18:33:51.903",
    "logLevel": "DEBUG",
    "traceId": "180532b7-0cc7-057b-687a-5ca1824838f5",
    "status": "Success",
    "eventType": "FunctionExecution",
    "clientId": "N/A",
    "topicName":"rules/test",
    "ruleName": "ruleTestPredict",
    "ruleAction": "MachinelearningPredict",
    "resources": {
        "ModelId": "predict-model"
    },
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167"
}

In addition to the Common CloudWatch Logs attributes, FunctionExecution log entries contain the following attributes:

clientId

N/A for FunctionExecution logs.

principalId

The ID of the principal making the request.

resources

A collection of resources used by the rule's actions.

ruleName

The name of the matching rule.

topicName

The name of the subscribed topic.

RuleExecution log entry

When the AWS IoT rules engine triggers a rule's action, it generates a RuleExecution log entry.

RuleExecution log entry example

{
    "timestamp": "2017-08-10 16:32:46.070",
    "logLevel": "INFO",
    "traceId": "30aa7ccc-1d23-0b97-aa7b-76196d83537e",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "RuleExecution",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "topicName": "rules/test",
    "ruleName": "JSONLogsRule",
    "ruleAction": "RepublishAction",
    "resources": {
        "RepublishTopic": "rules/republish"
    },
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167"
}

In addition to the Common CloudWatch Logs attributes, RuleExecution log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

resources

A collection of resources used by the rule's actions.

ruleAction

The name of the action triggered.

ruleName

The name of the matching rule.

topicName

The name of the subscribed topic.

RuleMatch log entry

The AWS IoT rules engine generates a log entry with an eventType of RuleMatch when the message broker receives a message that matches a rule.

RuleMatch log entry example

{
    "timestamp": "2017-08-10 16:32:46.002",
    "logLevel": "INFO",
    "traceId": "30aa7ccc-1d23-0b97-aa7b-76196d83537e",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "RuleMatch",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "topicName": "rules/test",
    "ruleName": "JSONLogsRule",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167"
}

In addition to the Common CloudWatch Logs attributes, RuleMatch log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

ruleName

The name of the matching rule.

topicName

The name of the subscribed topic.

RuleExecutionThrottled log entry

When an execution is throttled, the AWS IoT rules engine generates a log entry with an eventType of RuleExecutionThrottled.

RuleExecutionThrottled log entry example

{
    "timestamp": "2017-10-04 19:25:46.070",
    "logLevel": "ERROR",
    "traceId": "30aa7ccc-1d23-0b97-aa7b-76196d83537e",
    "accountId": "123456789012",
    "status": "Failure",
    "eventType": "RuleExecutionThrottled",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "topicName": "$aws/rules/example_rule",
    "ruleName": "example_rule",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "reason": "RuleExecutionThrottled",
    "details": "Exection of Rule example_rule throttled"
}

In addition to the Common CloudWatch Logs attributes, RuleExecutionThrottled log entries contain the following attributes:

clientId

The ID of the client making the request.

details

A brief explanation of the error.

principalId

The ID of the principal making the request.

reason

The string "RuleExecutionThrottled".

ruleName

The name of the rule to be triggered.

topicName

The name of the topic that was published.

RuleNotFound log entry

When the AWS IoT rules engine cannot find a rule with a given name, it generates a log entry with an eventType of RuleNotFound.

RuleNotFound log entry example

{
    "timestamp": "2017-10-04 19:25:46.070",
    "logLevel": "ERROR",
    "traceId": "30aa7ccc-1d23-0b97-aa7b-76196d83537e",
    "accountId": "123456789012",
    "status": "Failure",
    "eventType": "RuleNotFound",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "topicName": "$aws/rules/example_rule",
    "ruleName": "example_rule",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167",
    "reason": "RuleNotFound",
    "details": "Rule example_rule not found"
}

In addition to the Common CloudWatch Logs attributes, RuleNotFound log entries contain the following attributes:

clientId

The ID of the client making the request.

details

A brief explanation of the error.

principalId

The ID of the principal making the request.

reason

The string "RuleNotFound".

ruleName

The name of the rule that could not be found.

topicName

The name of the topic that was published.

StartingRuleExecution log entry

When the AWS IoT rules engine starts to trigger a rule's action, it generates a log entry with an eventType of StartingRuleExecution.

StartingRuleExecution log entry example

{
    "timestamp": "2017-08-10 16:32:46.002",
    "logLevel": "DEBUG",
    "traceId": "30aa7ccc-1d23-0b97-aa7b-76196d83537e",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "StartingRuleExecution",
    "clientId": "abf27092886e49a8a5c1922749736453",
    "topicName": "rules/test",
    "ruleName": "JSONLogsRule",
    "ruleAction": "RepublishAction",
    "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a932167"
}

In addition to the Common CloudWatch Logs attributes, rule- log entries contain the following attributes:

clientId

The ID of the client making the request.

principalId

The ID of the principal making the request.

ruleAction

The name of the action triggered.

ruleName

The name of the matching rule.

topicName

The name of the subscribed topic.

Job log entries

The AWS IoT Job service generates log entries for the following events. Log entries are generated when an MQTT or HTTP request is received from the device.

DescribeJobExecution log entry

The AWS IoT Jobs service generates a log entry with an eventType of DescribeJobExecution when the service receives a request to describe a job execution.

DescribeJobExecution log entry example

{
    "timestamp": "2017-08-10 19:13:22.841",
    "logLevel": "DEBUG",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "DescribeJobExecution",
    "protocol": "MQTT",
    "clientId": "thingOne",
    "jobId": "002",
    "topicName": "$aws/things/thingOne/jobs/002/get",
    "clientToken": "myToken",
    "details": "The request status is SUCCESS."
}

In addition to the Common CloudWatch Logs attributes, GetJobExecution log entries contain the following attributes:

clientId

The ID of the client making the request.

clientToken

A unique, case-sensitive identifier to ensure the idempotency of the request. For more information, see How to Ensure Idempotency.

details

Other information from the Jobs service.

jobId

The job ID for the job execution.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The topic used to make the request.

GetPendingJobExecution log entry

The AWS IoT Jobs service generates a log entry with an eventType of GetPendingJobExecution when the service receives a job execution request.

GetPendingJobExecution log entry example

{
    "timestamp": "2018-06-13 17:45:17.197",
    "logLevel": "DEBUG",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "GetPendingJobExecution",
    "protocol": "MQTT",
    "clientId": "299966ad-54de-40b4-99d3-4fc8b52da0c5",
    "topicName": "$aws/things/299966ad-54de-40b4-99d3-4fc8b52da0c5/jobs/get",
    "clientToken": "24b9a741-15a7-44fc-bd3c-1ff2e34e5e82",
    "details": "The request status is SUCCESS."
}

In addition to the Common CloudWatch Logs attributes, GetPendingJobExecution log entries contain the following attributes:

clientId

The ID of the client making the request.

clientToken

A unique, case sensitive identifier to ensure the idempotency of the request. For more information, see How to Ensure Idempotency.

details

Other information from the Jobs service.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The name of the subscribed topic.

ReportFinalJobExecutionCount log entry

The AWS IoT Jobs service generates a log entry with an entryType of ReportFinalJobExecutionCount when a job is completed.

ReportFinalJobExecutionCount log entry example

{
    "timestamp": "2017-08-10 19:44:16.776",
    "logLevel": "INFO",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "ReportFinalJobExecutionCount",
    "jobId": "002",
    "details": "Job 002 completed. QUEUED job execution count: 0 IN_PROGRESS job execution count: 0 FAILED job execution count: 0 SUCCEEDED job execution count: 1 CANCELED job execution count: 0 REJECTED job execution count: 0 REMOVED job execution count: 0"
}

In addition to the Common CloudWatch Logs attributes, ReportFinalJobExecutionCount log entries contain the following attributes:

details

Other information from the Jobs service.

jobId

The job ID for the job execution.

StartNextPendingJobExecution log entry

When it receives a request to start the next pending job execution, the AWS IoT Jobs service generates a log entry with an eventType of StartNextPendingJobExecution.

StartNextPendingJobExecution log entry example

{
    "timestamp": "2018-06-13 17:49:51.036",
    "logLevel": "DEBUG",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "StartNextPendingJobExecution",
    "protocol": "MQTT",
    "clientId": "95c47808-b1ca-4794-bc68-a588d6d9216c",
    "topicName": "$aws/things/95c47808-b1ca-4794-bc68-a588d6d9216c/jobs/start-next",
    "clientToken": "bd7447c4-3a05-49f4-8517-dd89b2c68d94",
    "details": "The request status is SUCCESS."
}

In addition to the Common CloudWatch Logs attributes, StartNextPendingJobExecution log entries contain the following attributes:

clientId

The ID of the client making the request.

clientToken

A unique, case sensitive identifier to ensure the idempotency of the request. For more information, see How to Ensure Idempotency.

details

Other information from the Jobs service.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The topic used to make the request.

UpdateJobExecution log entry

The AWS IoT Jobs service generates a log entry with an eventType of UpdateJobExecution when the service receives a request to update a job execution.

UpdateJobExecution log entry example

{
    "timestamp": "2017-08-10 19:25:14.758",
    "logLevel": "DEBUG",
    "accountId": "123456789012",
    "status": "Success",
    "eventType": "UpdateJobExecution",
    "protocol": "MQTT",
    "clientId": "thingOne",
    "jobId": "002",
    "topicName": "$aws/things/thingOne/jobs/002/update",
    "clientToken": "myClientToken",
    "versionNumber": "1",
    "details": "The destination status is IN_PROGRESS. The request status is SUCCESS."
}

In addition to the Common CloudWatch Logs attributes, UpdateJobExecution log entries contain the following attributes:

clientId

The ID of the client making the request.

clientToken

A unique, case sensitive identifier to ensure the idempotency of the request. For more information, see How to Ensure Idempotency.

details

Other information from the Jobs service.

jobId

The job ID for the job execution.

protocol

The protocol used to make the request. Valid values are MQTT or HTTP.

topicName

The topic used to make the request.

versionNumber

The version of the job execution.

Device provisioning log entries

The AWS IoT Device Provisioning service generates logs for the following events.

GetDeviceCredentials log entry

The AWS IoT Device Provisioning service generates a log entry with an eventType of GetDeviceCredential when a client calls GetDeviceCredential.

GetDeviceCredentials log entry example

{
  "timestamp" : "2019-02-20 20:31:22.932",
  "logLevel" : "INFO",
  "traceId" : "8d9c016f-6cc7-441e-8909-7ee3d5563405",
  "accountId" : "123456789101",
  "status" : "Success",
  "eventType" : "GetDeviceCredentials",
  "deviceCertificateId" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "details" : "Additional details about this log."
}

In addition to the Common CloudWatch Logs attributes, GetDeviceCredentials log entries contain the following attributes:

details

A brief explanation of the error.

deviceCertificateId

The ID of the device certificate.

ProvisionDevice log entry

The AWS IoT Device Provisioning service generates a log entry with an eventType of ProvisionDevice when a client calls ProvisionDevice.

ProvisionDevice log entry example

{
  "timestamp" : "2019-02-20 20:31:22.932",
  "logLevel" : "INFO",
  "traceId" : "8d9c016f-6cc7-441e-8909-7ee3d5563405",
  "accountId" : "123456789101",
  "status" : "Success",
  "eventType" : "ProvisionDevice",
  "provisioningTemplateName" : "myTemplate",
  "deviceCertificateId" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "details" : "Additional details about this log."
 }

In addition to the Common CloudWatch Logs attributes, ProvisionDevice log entries contain the following attributes:

details

A brief explanation of the error.

deviceCertificateId

The ID of the device certificate.

provisioningTemplateName

The name of the provisioning template.

Dynamic thing group log entries

AWS IoT Dynamic Thing Groups generate logs for the following event.

AddThingToDynamicThingGroupsFailed log entry

When AWS IoT was not able to add a thing to the specified dynamic groups, it generates a log entry with an eventType of AddThingToDynamicThingGroupsFailed. This happens when a thing met the criteria to be in the dynamic thing group; however, it could not be added to the dynamic group or it was removed from the dynamic group. This can happen because:

  • The thing already belongs to the maximum number of groups.

  • The --override-dynamic-groups option was used to add the thing to a static thing group. It was removed from a dynamic thing group to make that possible.

For more information, see Dynamic Thing Group Limitations and Conflicts.

AddThingToDynamicThingGroupsFailed log entry example

This example shows the log entry of an AddThingToDynamicThingGroupsFailed error. In this example, TestThing met the criteria to be in the dynamic thing groups listed in dynamicThingGroupNames, but could not be added to those dynamic groups, as described in reason.

{
 "timestamp": "2020-03-16 22:24:43.804",
 "logLevel": "ERROR",
 "traceId": "70b1f2f5-d95e-f897-9dcc-31e68c3e1a30",
 "accountId": "57EXAMPLE833",
 "status": "Failure",
 "eventType": "AddThingToDynamicThingGroupsFailed",
 "thingName": "TestThing",
 "dynamicThingGroupNames": [
  "DynamicThingGroup11",
  "DynamicThingGroup12",
  "DynamicThingGroup13",
  "DynamicThingGroup14"
 ],
 "reason": "The thing failed to be added to the given dynamic thing group(s) because the thing already belongs to the maximum allowed number of groups."
}

In addition to the Common CloudWatch Logs attributes, AddThingToDynamicThingGroupsFailed log entries contain the following attributes:

dynamicThingGroupNames

An array of the dynamic thing groups to which the thing could not be added.

reason

The reason why the thing could not be added to the dynamic thing groups.

thingName

The name of the thing that could not be added to a dynamic thing group.

Fleet indexing log entries

AWS IoT fleet indexing generates log entries for the following events.

NamedShadowCountForDynamicGroupQueryLimitExceeded log entry

A maximum of 25 named shadows per thing are processed for query terms that are not data source specific in dynamic groups. When this limit is breached for a thing, the NamedShadowCountForDynamicGroupQueryLimitExceeded event type will be emitted.

NamedShadowCountForDynamicGroupQueryLimitExceeded log entry example

This example shows the log entry of a NamedShadowCountForDynamicGroupQueryLimitExceeded error. In this example, all-values based DynamicGroup results can be inaccurate, as described in the reason field.

{
"timestamp": "2020-03-16 22:24:43.804",
"logLevel": "ERROR",
"traceId": "70b1f2f5-d95e-f897-9dcc-31e68c3e1a30",
"accountId": "571032923833",
"status": "Failure",
"eventType": "NamedShadowCountForDynamicGroupQueryLimitExceeded",
"thingName": "TestThing",
"reason": "A maximum of 25 named shadows per thing are processed for non-data source specific query terms in dynamic groups."
}

Common CloudWatch Logs attributes

All CloudWatch Logs log entries include these attributes:

accountId

Your AWS account ID.

eventType

The event type for which the log was generated. The value of the event type depends on the event that generated the log entry. Each log entry description includes the value of eventType for that log entry.

logLevel

The log level being used. For more information, see Log levels.

status

The status of the request.

timestamp

The human-readable UTC timestamp of when the client connected to the AWS IoT message broker.

traceId

A randomly generated identifier that can be used to correlate all logs for a specific request.