Article ID: kb00226Last Modified: 22-Aug-2024
Retrieving Logs From Amazon EC2 Instances
Situation
In some cases, logs from Amazon temporary instances may be required, e.g. if issues occur upon restore to Amazon EC2.
Solution
Instance logs are collected by a CloudWatch Logs agent running on the instance and can be accessed through a CloudWatch Log group of the same name as the instance. For example, if the instance ID is i-0123456789abcdef0 and the log file name is /var/log/messages, the Log Group would be i-0123456789abcdef0 and the Log Stream /var/log/messages.
The following logs are collected by default.
Windows
- SecurityEventLog
- SystemEventLog
- AmazonSSMAgentLog
- MicrosoftWindowsAppLockerMSIAndScriptEventLog
- MicrosoftWindowsAppLockerEXEAndDLLEventLog
- AmazonCloudWatchAgentLog
- EC2ConfigServiceEventLog (Windows Server 2012 R2 Only)
- ApplicationEventLog
- AmazonCloudFormationLog
- MicrosoftWindowsGroupPolicyOperationalEventLog
- AmazonSSMErrorLog
Amazon Linux / Red Hat Linux / Centos Linux
- /var/log/audit/audit.log
- /var/log/cron
- /var/log/amazon/ssm/amazon-ssm-agent.log
- /var/log/secure
- /var/log/aws/ams
- /var/log/maillog
- /var/log/yum.log
- /var/log/messages
- /var/log/cloud-init-output.log
- /var/log/cloud-init.log (Amazon Linux 1 / Amazon Linux 2 only)
To learn more, refer to the Log Management section at the docs.aws.amazon.com