Tutorial: View your log files - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: View your log files

Within an average of about 5 minutes of creating your first trail, CloudTrail delivers the first set of log files to the Amazon S3 bucket for your trail. You can look at these files and learn about the information they contain.

Note

CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.

If you misconfigure your trail (for example, the S3 bucket is unreachable), CloudTrail will attempt to redeliver the log files to your S3 bucket for 30 days, and these attempted-to-deliver events will be subject to standard CloudTrail charges. To avoid charges on a misconfigured trail, you need to delete the trail.

To view your log files
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. In the navigation pane, choose Trails. On the Trails page, find the name of the trail you just created (in the example, My-Management-Events-Trail).

  3. In the row for the trail, choose the value for the S3 bucket (in the example, aws-cloudtrail-logs-08132020-mytrail).

  4. The Amazon S3 console opens and shows that bucket, at the top level for log files. Because you created a trail that logs events in all Amazon Regions, the display opens at the level that shows you each Region folder. The hierarchy of the Amazon S3 bucket navigation at this level is bucket-name/AmazonLogs/account-id/CloudTrail. Choose the folder for the Amazon Region where you want to review log files. For example, if you want to review the log files for the US East (Ohio) Region, choose us-east-2.

  5. Navigate the bucket folder structure to the year, the month, and the day where you want to review logs of activity in that Region. In that day, there are a number of files. The name of the files begin with your Amazon account ID, and end with the extension .gz. For example, if your account ID is 123456789012, you would see files with names similar to this: 123456789012_CloudTrail_us-east-2_20190610T1255abcdeEXAMPLE.json.gz.

    To view these files, you can download them, unzip them, and then view them in a plain-text editor or a JSON file viewer. Some browsers also support viewing .gz and JSON files directly. We recommend using a JSON viewer, as it makes it easier to parse the information in CloudTrail log files.

    As you're browsing through the file content, you might start to wonder about what you're seeing. CloudTrail logs events for every Amazon service that experienced activity in that Amazon Region at the time that event occurred. In other words, events for different Amazon services are mixed together, based solely on time. To learn more about what a specific Amazon service logs with CloudTrail, including examples of log file entries for API calls for that service, see the list of supported services for CloudTrail, and read the CloudTrail integration topic for that service. You can also learn more about the content and structure of CloudTrail log files by reviewing the CloudTrail log event reference.

    You might also notice what you're not seeing in log files in US East (Ohio). Specifically, you won't see any console sign-in events, even though you know you logged into the console. That's because console sign-in and IAM events are global service events, which are usually logged in a specific Amazon Region. In this case, they are logged in US East (N. Virginia), and found in the folder us-east-1. Open that folder, and open the year, month, and day you're interested in. Browse the log files, and you find ConsoleLogin events that look similar to the following:

    { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::123456789012:user/Mary_Major", "accountId": "123456789012", "userName": "Mary_Major" }, "eventTime": "2019-06-10T17:14:09Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.67", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "2681fc29-EXAMPLE", "eventType": "AwsConsoleSignIn", "recipientAccountId": "123456789012" }

    This log file entry tells you more than just the identity of the IAM user who logged in (Mary_Major), the date and time she logged in, and that the login was successful. You can also learn the IP address she logged in from, the operating system and browser software of the computer she used, and that she was not using multi-factor authentication.