0

I'm with some problems trying to write my Lambda function logs to CloudWatch Logs. It seems it is not a problem of authorization as you can see below:

PolicyDocument:
    Version: 2012-10-17
    Statement:
        -
          Effect: Allow
          Action:
            - logs:CreateLogGroup
          Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
        - Effect: Allow
          Action:
            - logs:CreateLogStream
            - logs:PutLogEvent
          Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${FunctionName}:*

I've tried a broader policy as well with arn:aws:logs:*:*:* as resource like some examples I found.

The template works fine on CloudFormation and the resources are created as appropriate, when I execute the lambda function as test everything works fine, but the logs are not written. It creates the log group and the log stream, but nothing is inside the log stream.

This is not a problem with the Lambda function as well. I deployed the function manually before creating the template and the CloudWatch Logs works fine in this case. I copied the role and policy exactly as it is written in the manual approach to create the template.

Is it some kind of known bug in CloudFormation/SAM/Lambda? Or am I doing something wrong I didn't notice?

Please tell me if you need more information to understand the context. Thanks!

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
leonardo.teteo
  • 93
  • 1
  • 2
  • 10
  • Hrmm that's an odd one, how are you writing the logs? Have you got a github repo I could have a look at? I can share my github user name if you do. – Mrk Fldig Nov 18 '18 at 19:50
  • Thank you for the answer @MrkFldig . I do have, here is the [link](https://github.com/Leoat12/emailformatter-lambda). Feel free to ask any question since it is not well documented yet. It is in Java and I use log4j appender to log. – leonardo.teteo Nov 19 '18 at 02:02
  • So shot in the dark here because I had the same problem Bunyan, whats the log level set at for log4j? You look like you're using INFO mainly, if the default for Log4j is a log level above that you won't see them? Check this out: https://docs.aws.amazon.com/lambda/latest/dg/java-logging.html#java-wt-logging-using-log4j2.8 - try the system.out method OR prove what I'm saying change an info statement to error. – Mrk Fldig Nov 19 '18 at 19:45
  • The log level, as you can see in the log4j2.xml of the project is INFO. I used precisely the example you linked to to create my log4j2 appender, it is exactly the same, I didn't change anything. And I've said in the question, the CloudWatch Logs works perfectly fine when I deploy it manually, this problem only happens when I deploy it through CloudFormation. – leonardo.teteo Nov 19 '18 at 23:14
  • Are you deploying the Lambda as part of the same CloudFormation template? If so, have you attached a role that allows it to write to CloudWatch? – K Mo Nov 20 '18 at 16:08
  • @KMo Yes, I attached a role that allows it to write to CloudWatch Logs, I've seen some other templates with Lambda functions that uses the same structure I wrote. You can see the template [here](https://github.com/Leoat12/emailformatter-lambda/blob/master/template.yaml) – leonardo.teteo Nov 20 '18 at 18:40

1 Answers1

1

In the end I was able to solve the problem but removing the CloudWatch Logs permissions from the policy I wrote and using the Manage Policy from AWS: ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" With that the logs were wrote to the LogGroup normally.

leonardo.teteo
  • 93
  • 1
  • 2
  • 10