Diagnosing rules issues - AWS IoT Core

Diagnosing rules issues

This section describes some of the things to check when you encounter a problem with rule.

Configuring CloudWatch Logs for troubleshooting

The best way to debug issues you are having with rules is to use CloudWatch Logs. When you enable CloudWatch Logs for AWS IoT, you can see which rules are triggered and their success or failure. You also get information about whether WHERE clause conditions match. For more information, see Monitor AWS IoT using CloudWatch Logs.

The most common rules issue is authorization. The logs show if your role is not authorized to perform AssumeRole on the resource. Here is an example log generated by fine-grained logging:

{ "timestamp": "2017-12-09 22:49:17.954", "logLevel": "ERROR", "traceId": "ff563525-6469-506a-e141-78d40375fc4e", "accountId": "123456789012", "status": "Failure", "eventType": "RuleExecution", "clientId": "iotconsole-123456789012-3", "topicName": "test-topic", "ruleName": "rule1", "ruleAction": "DynamoAction", "resources": { "ItemHashKeyField": "id", "Table": "trashbin", "Operation": "Insert", "ItemHashKeyValue": "id", "IsPayloadJSON": "true" }, "principalId": "ABCDEFG1234567ABCD890:outis", "details": "User: arn:aws:sts::123456789012:assumed-role/dynamo-testbin/5aUMInJH is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/testbin (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: AKQJ987654321AKQJ123456789AKQJ987654321AKQJ987654321)" }

Here is a similar example log generated by global logging:

2017-12-09 22:49:17.954 TRACEID:ff562535-6964-506a-e141-78d40375fc4e PRINCIPALID:ABCDEFG1234567ABCD890:outis [ERROR] EVENT:DynamoActionFailure TOPICNAME:test-topic CLIENTID:iotconsole-123456789012-3 MESSAGE:Dynamo Insert record failed. The error received was User: arn:aws:sts::123456789012:assumed-role/dynamo-testbin/5aUMInJI is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/testbin (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: AKQJ987654321AKQJ987654321AKQJ987654321AKQJ987654321). Message arrived on: test-topic, Action: dynamo, Table: trashbin, HashKeyField: id, HashKeyValue: id, RangeKeyField: None, RangeKeyValue: 123456789012 No newer events found at the moment. Retry.

For more information, see Viewing AWS IoT logs in the CloudWatch console.

Diagnosing external services

External services are controlled by the end user. Before rule execution, make sure that the external services you have linked to your rule are set up and have enough throughput and capacity units for your application.

Diagnosing SQL problems

If your SQL query is not returning the data you expect:

  • Review the logs for error messages.

  • Confirm that your SQL syntax matches the JSON document in the message.

    Review the object and property names used in the query with those used in the JSON document of the topic's message payload. For more information about the JSON formatting in SQL queries, see JSON extensions.

  • Check to see if the JSON object or property names include reserved or numeric characters.

    For more information about reserved characters in JSON object references in SQL queries, see JSON extensions.