View your log files - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

View your log files

Within an average of about 5 minutes of creating your first trail, CloudTrail delivers the first set of log files to the Amazon S3 bucket for your trail. You can look at these files and learn about the information they contain.

Note

CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.

If you misconfigure your trail (for example, the S3 bucket is unreachable), CloudTrail will attempt to redeliver the log files to your S3 bucket for 30 days, and these attempted-to-deliver events will be subject to standard CloudTrail charges. To avoid charges on a misconfigured trail, you need to delete the trail.

To view your log files

  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. In the navigation pane, choose Trails. On the Trails page, find the name of the trail you just created (in the example, management-events).

  3. In the row for the trail, choose the value for the S3 bucket.

  4. The Amazon S3 console opens and shows two folders for the bucket: CloudTrail-Digest and CloudTrail. Choose the CloudTrail folder to view the log files.

  5. If you created a multi-Region trail, there is a folder for each Amazon Web Services Region. Choose the folder for the Amazon Web Services Region where you want to review log files. For example, if you want to review the log files for the US East (Ohio) Region, choose us-east-2.

  6. Navigate the bucket folder structure to the year, the month, and the day where you want to review logs of activity in that Region. In that day, there are a number of files. The name of the files begin with your Amazon Web Services account ID, and end with the extension .gz. For example, if your account ID is 123456789012, you would see files with names similar to this: 123456789012_CloudTrail_us-east-2_20240512T0000Z_EXAMPLE.json.gz.

    To view these files, you can download them, unzip them, and then view them in a plain-text editor or a JSON file viewer. Some browsers also support viewing .gz and JSON files directly. We recommend using a JSON viewer, as it makes it easier to parse the information in CloudTrail log files.