Create a role with the policy AmazonAPIGatewayPushToCloudwatchLogs or attach this policy to an existing role.
Create a Cloudwatch Log group /aws/apigw/$your-api-gw-name where $your_api_gw_name is replaced by your AWS API Gateway name. Select retention setting to be at least 5 days or set it to Never if you want to retain the logs in Cloudwatch. Click Create.
Go to AWS API Gateway → Settings → CloudWatch log role ARN and add the above role ARN
Got to AWS API Gateway → Select API GW → Stages → Select Stage → Click on Logs/Tracing. Ensure that you turn off the default verbose API Gateway logging. Click on "Save Changes"
Got to AWS API Gateway → Select API GW → Stages → Select Stage → Click on Logs/Tracing and update the following fields. Click on "Save Changes"
- Enable Access Logging - turn on.
- Access Log destination ARN - ARN of cloudwatch log group from Step-2.
- Log Format
-
Add the following logging format:
$context.extendedRequestId $context.identity.sourceIp $context.identity.caller $context.identity.user [$context.requestTime] $context.domainName "$context.httpMethod $context.resourcePath $context.protocol" $context.status $context.responseLength $context.requestId $context.responseLatency $context.IntegrationStatus $context.IntegrationLatency $context.apiId $context.stage
Enable logging by going to - AWS API Gateway → Stages → Select stage → Logs and tracing → "Enable CloudWatch Logs" and "Log full requests/responses data" with "Log level" = INFO
Send requests to API GW and view them on Cloudwatch logs. Go to Cloudwatch → Log Groups → Search for /aws/apigw/$your-api-gw-name - click on corresponding log group. You should see logs like the following:
