Skip to content

Update the Cloudwatch Logs proposal#46

Merged
ryanjjung merged 2 commits intomainfrom
cloudwatch-logs
Mar 16, 2026
Merged

Update the Cloudwatch Logs proposal#46
ryanjjung merged 2 commits intomainfrom
cloudwatch-logs

Conversation

@ryanjjung
Copy link
Copy Markdown
Contributor

@ryanjjung ryanjjung commented Mar 11, 2026

I did a slightly deeper dive into our use cases and made a couple slight adjustments to the CloudWatch Logs proposal. A few facts that led to these adjustments:

  • Fargate services that log to CloudWatch automatically use the container ID as part of the log stream name, and you must use the awslogs-stream-prefix option when defining the Fargate LogConfiguration. There is no way to configure this to use pre-created log streams.
  • Stalwart servers (prior to the move to Fargate containers) will use a local installation of fluent-bit to forward the logs to CloudWatch. That plugin allows for both kinds of configuration, one where you specify a log stream as well as one where you specify a prefix.
  • Log groups and log streams are both organizational units of sorts, and we can be a lot more terse in our naming than what I originally wrote up.

@ryanjjung ryanjjung requested review from aatchison and mzeier March 11, 2026 17:46
@ryanjjung ryanjjung self-assigned this Mar 11, 2026
aatchison
aatchison approved these changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aatchison aatchison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for digging in!

@ryanjjung
Copy link
Copy Markdown
Contributor Author

ryanjjung commented Mar 16, 2026

There was some talk about using the CloudWatch Agent instead of a fluent-bit installation. If this is do-able (extracting logs from Docker/systemd and shipping straight to CloudWatch Logs with that agent), then that's a step easier and we should do that. I'll do a little more research and update the proposal.

@ryanjjung
Copy link
Copy Markdown
Contributor Author

ryanjjung commented Mar 16, 2026

I'm not sure the CloudWatch Agent will do the trick for us.

The main blocker will be that it only supports shipping logs out of files (it's hard to link to the specifics in this document, but you can look under the "CloudWatch agent configuration file: Logs section" part to see that this is the only ingestion option). Stalwart runs in Docker containers controlled by a systemd service unit. Its logs go into the system journal, which is not a plaintext file. In order to get at these logs, we either have to do a docker logs (or equivalent) or a journalctl command of some kind. fluent-bit has a plugin that does that for us.

The CloudWatch Agent is not installed by default (this doc has installation instructions, and I tested on a bastion server to see that it is not pre-installed with Amazon Linux). So getting it on the system would be the same process we already have a half-baked solution of for fluent-bit: install a package, slap a config file in place, write a systemd unit file to run the right agent invocation, enable and start the service.

But even if we did that, we wouldn't be able to capture this log for the reasons mentioned above. I think we ought to leave it at fluent-bit.

@ryanjjung ryanjjung merged commit 530ced6 into main Mar 16, 2026
3 checks passed
@ryanjjung ryanjjung deleted the cloudwatch-logs branch March 16, 2026 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aatchison aatchison aatchison approved these changes

@mzeier mzeier Awaiting requested review from mzeier

Assignees

@ryanjjung ryanjjung

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryanjjung @aatchison