Logging session data using Amazon CloudWatch Logs (console)
With Amazon CloudWatch Logs, you can monitor, store, and access log files from various AWS services. You can send session log data to a CloudWatch Logs log group for debugging and troubleshooting purposes. The default option is for log data to be sent with encryption using your KMS key, but you can send the data to your log group with or without encryption.
Follow these steps to configure AWS Systems Manager Session Manager to send session log data to a CloudWatch Logs log group at the end of your sessions.
Note
You can also use the AWS CLI to specify or change the CloudWatch Logs log group that session data is sent to. For information, see Update Session Manager preferences (command line).
To log session data using Amazon CloudWatch Logs (console)
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. -
In the navigation pane, choose Session Manager.
-
Choose the Preferences tab, and then choose Edit.
-
Select the check box next to Enable under CloudWatch logging.
-
Choose the Upload session logs option.
-
(Recommended) Select the check box next to Allow only encrypted CloudWatch log groups. With this option turned on, log data is encrypted using the server-side encryption key specified for the log group. If you don't want to encrypt the log data that is sent to CloudWatch Logs, clear the check box. You must also clear the check box if encryption isn't allowed on the log group.
-
For CloudWatch logs, to specify the existing CloudWatch Logs log group in your AWS account to upload session logs to, select one of the following:
-
Choose a log group from the list: Select a log group that has already been created in your account to store session log data.
-
Enter a log group name in the text box: Enter the name of a log group that has already been created in your account to store session log data.
-
-
Choose Save.
For more information about working with CloudWatch Logs, see the Amazon CloudWatch Logs User Guide.