CLI tool to retrieve CloudWatch logs

1 min read

Using the awslogs cli tool we can query groups, streams and events from Amazon CloudWatch logs. It also has a human-friendly format for time-filtering

It's available as using pip so to install it we just need to run:

pip install awslogs

Once it is installed we can list the available groups using awslogs groups:

$ awslogs groups
/aws/eks/production/cluster
/aws/eks/preproduction/cluster

Once we know the groups available, retrieve the logs is as easy as awslogs get:

$ awslogs get /aws/eks/production/cluster
/aws/eks/production/cluster kube-apiserver-audit-f12f72543069eb23a945d8a43c56b772 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"cc169cf5-86d2-455c-a93a-ebce0fc8056c","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler?timeout=10s","verb":"update","user":{"username":"system:kube-scheduler","groups":["system:authenticated"]},"sourceIPs":["172.16.172.95"],"userAgent":"kube-scheduler/v1.20.4 (linux/amd64) kubernetes/6b74644/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-scheduler","uid":"179320bf-4306-41c1-911e-05e223b97180","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"372985"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-07-08T16:40:23.933497Z","stageTimestamp":"2021-07-08T16:40:23.944269Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\""}}
/aws/eks/production/cluster kube-apiserver-audit-f12f72543069eb23a945d8a43c56b772 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"b6f61426-cd7b-42b6-a8fe-41fc1db38324","stage":"ResponseStarted","requestURI":"/api/v1/namespaces/kube-system/configmaps?fieldSelector=metadata.name%3Daws-auth\u0026watch=true","verb":"watch","user":{"username":"eks:authenticator","groups":["system:authenticated"]},"sourceIPs":["172.16.172.95"],"userAgent":"kubernetes-aws-authenticator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"kube-system","name":"aws-auth","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2021-07-08T16:08:12.981733Z","stageTimestamp":"2021-07-08T16:40:25.713541Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"eks:authenticator/kube-system\" of Role \"eks:authenticator\" to User \"eks:authenticator\""}}
(...)

For filtering we can use the options --start and --end for specifying which logs we want to retrieve, for example:

$ awslogs get /aws/eks/production/cluster --start='2h ago' --end='1h ago'

Posted on 09/07/2021

Categories