Retrieving Logs From Amazon EC2 Instances


In some cases, logs from Amazon temporary instances may be required, e.g. if issues occur upon restore to Amazon EC2.


Instance logs are collected by a CloudWatch Logs agent running on the instance and can be accessed through a CloudWatch Log group of the same name as the instance. For example, if the instance ID is i-0123456789abcdef0 and the log file name is /var/log/messages, the Log Group would be i-0123456789abcdef0 and the Log Stream /var/log/messages.

The following logs are collected by default.


  • SecurityEventLog
  • SystemEventLog
  • AmazonSSMAgentLog
  • MicrosoftWindowsAppLockerMSIAndScriptEventLog
  • MicrosoftWindowsAppLockerEXEAndDLLEventLog
  • AmazonCloudWatchAgentLog
  • EC2ConfigServiceEventLog (Windows Server 2012 R2 Only)
  • ApplicationEventLog
  • AmazonCloudFormationLog
  • MicrosoftWindowsGroupPolicyOperationalEventLog
  • AmazonSSMErrorLog

Amazon Linux / Red Hat Linux / Centos Linux

  • /var/log/audit/audit.log
  • /var/log/cron
  • /var/log/amazon/ssm/amazon-ssm-agent.log
  • /var/log/secure
  • /var/log/aws/ams
  • /var/log/maillog
  • /var/log/yum.log
  • /var/log/messages
  • /var/log/cloud-init-output.log
  • /var/log/cloud-init.log (Amazon Linux 1 / Amazon Linux 2 only)

To learn more, refer to the Log Management section at the