Introduction

AWS API Gateway has facility to enable logging to send logs to Cloudwatch. This document describes the steps to do so.

Steps

1. Create a role with the policy AmazonAPIGatewayPushToCloudwatchLogs or attach this policy to an existing role.

   

2. Create a Cloudwatch Log group /aws/apigw/$your-api-gw-name where $your_api_gw_name is replaced by your AWS API Gateway name. Select retention setting to be at least 5 days or set it to Never if you want to retain the logs in Cloudwatch. Click Create.

   

3. Go to AWS API Gateway → Settings → CloudWatch log role ARN and add the above role ARN

   

4. Got to AWS API Gateway → Select API GW → Stages → Select Stage → Click on Logs/Tracing. Ensure that you turn off the default verbose API Gateway logging. Click on "Save Changes"

   

5. Got to AWS API Gateway → Select API GW → Stages → Select Stage → Click on Logs/Tracing and update the following fields. Click on "Save Changes"

   

   1. Enable Access Logging - turn on.
   2. Access Log destination ARN - ARN of cloudwatch log group from Step-2.
   3. Log Format

   • Add the following logging format:

     $context.extendedRequestId $context.identity.sourceIp $context.identity.caller $context.identity.user [$context.requestTime] $context.domainName "$context.httpMethod $context.resourcePath $context.protocol" $context.status $context.responseLength $context.requestId $context.responseLatency $context.IntegrationStatus $context.IntegrationLatency $context.apiId $context.stage
     

6. Enable logging by going to - AWS API Gateway → Stages → Select stage → Logs and tracing → "Enable CloudWatch Logs" and "Log full requests/responses data" with "Log level" = INFO

   

7. Send requests to API GW and view them on Cloudwatch logs. Go to Cloudwatch → Log Groups → Search for /aws/apigw/$your-api-gw-name - click on corresponding log group. You should see logs like the following: