Alarming on logs - Amazon CloudWatch
Create an alarm based on a log group-metric filter
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Alarming on logs

The steps in the following sections explain how to create CloudWatch alarms on logs.

Create a CloudWatch alarm based on a log group-metric filter

The procedure in this section describes how to create an alarm based on a log group-metric filter. With metric filters, you can look for terms and patterns in log data as the data is sent to CloudWatch. For more information, see Create metrics from log events using filters in the Amazon CloudWatch Logs User Guide. Before you create an alarm based on a log group-metric filter, you must complete the following actions:

To create an alarm based on a log group-metric filter

  1. Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/.

  2. From the navigation pane, choose Logs, and then choose Log groups.

  3. Choose the log group that includes your metric filter.

  4. Choose Metric filters.

  5. In the metric filters tab, select the box for the metric filter that you want to base your alarm on.

  6. Choose Create alarm.

  7. (Optional) Under Metric, edit Metric name, Statistic, and Period.

  8. Under Conditions, specify the following:

    1. For Threshold type, choose Static or Anomaly detection.

    2. For Whenever your-metric-name is . . ., choose Greater, Greater/Equal, Lower/Equal , or Lower.

    3. For than . . ., specify a number for your threshold value.

  9. Choose Additional configuration.

    1. For Data points to alarm, specify how many data points trigger your alarm to go into the ALARM state. If you specify matching values, your alarm goes into the ALARM state if that many consecutive periods are breaching. To create an M-out-of-N alarm, specify a number for the first value that's lower than the number you specify for the second value. For more information, see Using Amazon CloudWatch alarms.

    2. For Missing data treatment, select an option to specify how to treat missing data when your alarm is evaluated.

  10. Choose Next.

  11. For Notification, specify an Amazon SNS topic to notify when your alarm is in the ALARM, OK, or INSUFFICIENT_DATA state.

    1. (Optional) To send multiple notifications for the same alarm state or for different alarm states, choose Add notification.

    2. (Optional) To not send notifications, choose Remove.

  12. To have the alarm perform Auto Scaling, EC2, Lambda, or Systems Manager actions, choose the appropriate button and choose the alarm state and action to perform. If you choose a Lambda function as an alarm action, you specify the function name or ARN, and you can optionally choose a specific version of the function.

    Alarms can perform Systems Manager actions only when they go into ALARM state. For more information about Systems Manager actions, see see Configuring CloudWatch to create OpsItems from alarms and Incident creation.

    Note

    To create an alarm that performs an SSM Incident Manager action, you must have certain permissions. For more information, see Identity-based policy examples for Amazon Systems Manager Incident Manager.

  13. Choose Next.

  14. For Name and description, enter a name and description for your alarm. The name must contain only UTF-8 characters, and can't contain ASCII control characters. The description can include markdown formatting, which is displayed only in the alarm Details tab in the CloudWatch console. The markdown can be useful to add links to runbooks or other internal resources.

  15. For Preview and create, check that your configuration is correct, and choose Create alarm.