Set up CloudWatch Logs insights - Automations for AWS Firewall Manager

Set up CloudWatch Logs insights

This solution logs error, warning, informational, and debugging messages for the Lambda functions. To choose the type of messages to log, locate the applicable function in the AWS Lambda console and change the LOG_LEVEL environment variable to the applicable type of message. For further instructions on how to change the variable, see Using Lambda environment variables in the AWS Lambda Developer Guide.

The following table lists the types of log levels you can choose from.

Level Description
ERROR Logs include information on anything that causes an operation to fail.
WARNING Logs include information on anything that con potentially cause inconsistencies in the function but might not necessarily cause the operation to fail. Logs also include ERROR messages.
INFO Logs include high-level information about how the function is operating. Logs also include ERROR and WARNING messages.
DEBUG Logs include information that might be helpful when debugging a problem with the function. Logs also include ERROR, WARNING, and INFO messages.

You can adjust the log levels to troubleshoot the issues identified in Troubleshooting.

View CloudWatch Logs insights

The following CloudWatch Logs insights queries are added to your account when you deploy the solution. To view and use these queries, access your saved queries from the CloudWatch console.

Alternatively, you can complete the following steps to use the queries manually.

Policy Manager

  1. Navigate to the Amazon CloudWatch console.

  2. On the navigation menu, under Logs, choose Insights.

  3. On the Logs Insights page, choose the Logs tab.

  4. Select /aws/lambda/<xxxx>-PolicyStack-PolicyManager-<xxxx>. This log group contains the log events related to policy creation, updates, and deletions.

  5. Copy one of the following sample queries and paste it into the query field:

    • To identify error events:

      fields @timestamp, @level | sort @timestamp desc | filter level = "ERROR"
    • To identify policy create success events:

      fields @timestamp, @level, @message | sort @timestamp desc | filter message like "successfully put policy"
    • To identify policy create fail events:

      fields @timestamp, @message | sort @timestamp desc | filter message like "encountered error putting policy"
  6. Select a time preference and choose Run query. Save these queries for future use.

Automations for Shield Advanced

  1. Navigate to the Amazon CloudWatch Logs console.

  2. On the navigation menu, under Logs, choose Logs Insights.

  3. On the Logs Insights page, choose the Logs tab.

  4. Select /aws/lambda/<xxxx>-FMS-ShieldAutomations-ConfigRuleRemediate-<xxxx>. This log group contains the log events related to Route 53 health check creation and association.

  5. Select /aws/lambda/<xxxx>-FMS-ShieldAutomations-ConfigRuleEval-<xxxx> to view log events related to evaluation of your organization’s Shield Advanced protections.

  6. Copy one of the following sample queries and paste it into the query field:

    • To identify error events:

      fields @timestamp, @level | sort @timestamp desc | filter level = "ERROR"
    • To identify successful health check create events:

      fields @timestamp, @message | sort @timestamp desc | filter message like "Created Route53 Health Check"
    • To identify successful remediation events:

      fields @timestamp, @message | sort @timestamp desc | filter message like "Remediation successful for Shield Protection"
    • To identify successful associations of health checks with Shield Advanced protections:

      fields @timestamp, @message | sort @timestamp desc | filter message like "Associated calculated Health Check"
  7. Select a time preference and choose Run query. Save these queries for future use.

Each CloudWatch log has an associated X-Ray trace ID. To view the X-Ray trace for a particular function invocation, paste the X-Ray trace ID in the X-Ray traces tab of the CloudWatch console.