Monitor specific AWS Cloudwatch log_stream

I'm using a Fleet-managed Elastic Agent with the AWS Custom Log integration to monitor logs from Cloudwatch. My configuration in Fleet generates the following in the policy:

- id: aws-cloudwatch-aws_logs-334607ab-b4fe-4ec7-953b-c34b2bdbcbd4
  name: my_app.log
  revision: 14
  type: aws-cloudwatch
  use_output: default
  meta:
    package:
      name: aws_logs
      version: 0.2.3
  data_stream:
    namespace: default
  streams:
    - id: aws-cloudwatch-aws_logs.generic-334607ab-b4fe-4ec7-953b-c34b2bdbcbd4
      data_stream:
        dataset: my_app.log
      start_position: end
      log_group_name: /my_app/logs
      api_sleep: 200ms
      endpoint: amazonaws.com
      log_streams: 'app/my_app/log,batch/my_app/log'
      region_name: us-east-1
      processors:
        - add_fields:
            when.not.has_fields:
              - service.environment
            fields:
              environment: '${env.ENV}'
            target: service
        - add_locale:
            format: offset
      scan_frequency: 1m
      tags:
        - preserve_original_event
        - forwarded
        - my_app
      publisher_pipeline.disable_host: true

However, I get the following error from elastic_agent.filebeat:

getLogEventsFromCloudWatch failed: error FilterLogEvents with Paginator: operation error CloudWatch Logs: FilterLogEvents, https response error StatusCode: 400, RequestID: 5d24e028-cbe3-4e0d-a261-62c40c087cc0, ResourceNotFoundException: The specified log stream does not exist.

I get the same error if I only include one log_stream in my fleet config. If I remove the log streams, then logs ingest as expected, and I can see in the aws.cloudwatch.log_stream field that these streams do exist.

The issue with doing this is that a number of the streams being sent to /my_app/logs require different pipelines and a few should go to different datasets, which is why this is ideal.

I've tested this with the AWS Cloudwatch logs integration with the same result. The only thing that I can see is that the documentation defines log_streams as:

log_streams

A list of strings of log stream names that Filebeat collects log events from

It doesn't mention a comma-separated string, but I know that many settings seem to allow for either/or.

Is this something I'm doing incorrectly, or is this a bug that needs to be reported?

Thx.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.