New Blog --> Crushing False Positives: Supercharging SOC Efficiency with Smarter Threat Intel
New Blog --> Crushing False Positives: Supercharging SOC Efficiency with Smarter Threat Intel
Start Free Trial

ChaosSearch Blog

12 MIN READ

Going Beyond CloudWatch: 5 Steps to Better Log Analytics & Analysis

Going Beyond CloudWatch: 5 Steps to Better Log Analytics & Analysis
11:41

Amazon CloudWatch is a great tool for DevOps engineers, developers, SREs, and other IT personnel who require basic Amazon Web Services (AWS) log processing and analytics for cloud services and applications deployed on AWS.

However, most developer teams will ultimately need more logging functionality than a basic AWS log analyzer like Amazon Cloudwatch can provide. For example:

  • Teams operating multi-cloud environments will need to analyze logs from sources outside AWS, which CloudWatch doesn’t support.
  • Teams that operate complex cloud environments will need sophisticated alerting capabilities that CloudWatch doesn’t provide.
  • Teams that ingest large volumes of log data may find CloudWatch more expensive at scale compared to alternative AWS log processing tools.

That’s why, although CloudWatch may be one tool in your log analytics strategy, it probably should not be the only one. Keep reading for guidance on how to extend your log management operations beyond CloudWatch to ensure more log analytic depth, breadth and actionability than you can get from CloudWatch alone.

 

AWS Log Processing with CloudWatch

 

What is Amazon CloudWatch?

CloudWatch is Amazon’s proprietary observability and log analytics tool for monitoring applications and services in the AWS cloud. With Amazon CloudWatch, developer teams can:

  • Gain insights in real time into the health and performance of cloud-based applications and services.
  • Perform root cause analysis to rapidly diagnose security and performance issues.
  • Proactively optimize cloud resource utilization to reduce costs.

CloudWatch can collect logs and metrics from all AWS services and workloads hosted on AWS, including Amazon EC2 instances, AWS Glue ETL jobs, Lambda function executions, and even custom applications.

 

AWS Log Analyzer

Image Source

The CloudWatch Overview home page displays a list of the AWS services you use, the state of alarms in those services, information about recent alarms, and a customizable dashboard with logs and key metrics you want to analyze.

 

In CloudWatch, a log event is a record of activity within an application or cloud service. Log events are written into log files, which are collected from various sources and ingested by Amazon CloudWatch to enable AWS log analysis. A log stream is a sequence of log events that share the same source, and a log group is a collection of log streams that share the same data retention, monitoring, and access control settings in CloudWatch.

Some services like AWS Lambda send logs to CloudWatch automatically, while others require developers to install CloudWatch agents that collect telemetry data before passing it to CloudWatch.

CloudWatch Logs Insights provides basic search and AWS log analyzer capabilities, such as allowing developers to interactively query log data with a custom query language or create visualizations to better understand or present log and metrics data. There’s also CloudWatch Metrics Insights, a high-performance SQL query engine that developers can use to query metrics at scale. Plus, CloudWatch lets you configure alarms that can alert you to anomalies or sudden changes in workload performance patterns.

 

Leveraging AWS S3 for Analytics: Check out the blog!

 

The Pros and Cons of CloudWatch for Log Analytics

CloudWatch has some clear benefits when it comes to AWS log processing but there are also some limitations and certain areas where it falls short of competing solutions. Let’s take a closer look at the pros and cons of Amazon CloudWatch.

As an AWS log analyzer, CloudWatch has some obvious advantages:

  • It’s built into the AWS cloud, so you can start using it instantaneously.
  • It’s well integrated with most AWS services, which means minimal effort is required to begin AWS log processing and analytics with CloudWatch.
  • It has a consumption-based pricing model. You don’t have to pay anything upfront to use CloudWatch, and you pay for what you use, based on the amount of data you ingest and the number of metrics, alarms, and features you utilize.

On the other hand, there are clear limitations to CloudWatch:

  • Cost
  • Limitations on data retention
  • It only supports AWS: you can’t use CloudWatch log analytics to help monitor workloads hosted in other clouds or on-premises, leading to limits on the ability to centralize all log data and embrace Data Lake philosophy with other data sources
  • CloudWatch logs insights analytics features are basic. CloudWatch may be able to alert you to significant anomalies within your logs, for example, but it lacks the data integration depth and correlation features necessary to recognize very complex patterns or perform root-cause analysis across larger and multiple data sources.

While CloudWatch certainly takes a role in most AWS logging and monitoring workflows, it doesn’t usually make sense to rely on CloudWatch alone.

 

Wondering Why Log Data Retention Windows Fail? Check out the blog!

 

5 Steps to Extending AWS Log Processing Beyond CloudWatch

To cover gaps in log analytics and compensate for the limitations of CloudWatch, developer teams should extend their AWS log processing and analytics strategies with the following AWS logging tips:

 

1. Centralize Log Analytics Across All of Your Clouds

If you use multiple public clouds at once – as most businesses do today – you need a log analytics strategy that lets you collect and analyze log data from across all of those clouds including hybrid cloud for those who are extending on-premises applications and infrastructure into the public clouds.

Your approach must enable you not simply to collect and analyze logs from each cloud individually but also have the critical ability to correlate and compare log data.

If you want to know, for example, how an application hosted in Azure performs compared to one hosted in AWS, you need multi-cloud-friendly log analytics. You don’t get that from CloudWatch.

 

2. Collect and Analyze All Log Data

Even if all of your workloads run in AWS, you may not be able to collect and analyze as much data from them as you would like when using CloudWatch. CloudWatch only supports specific predefined log and metrics types.

So, extend your log analytics strategy beyond CloudWatch by deploying tools that give you complete control over which log and metrics data you expose and how you interact with it. Don’t restrict yourself to choosing from a predefined list of data types.

You can still make use of the CloudWatch while also leveraging ChaosSearch as an AWS log analyzer by exporting CloudWatch logs, moving them to S3 and indexing these logs and other log data stored in S3.

Additionally, you may choose to bypass the AWS CloudWatch log process altogether and push logs directly into a more comprehensive and powerful analytics platform. ChaosSearch allows you to do this as it can index any data stored in S3 that is in the log, JSON, or CSV format.

There is a vast ecosystem of log shippers and tools to transport data to cloud object storage (Amazon S3) from Logstash and beats, Fluentd, Fluentbit to Vector, Segment.io, Cribl.io or programmatically from Boto3. Alternatively, you can set up streaming log analytics in AWS by using Amazon Kinesis to stream data from CloudWatch into S3 and then analyzing it with your preferred log analytics tool.

Watch this quick demo to learn how to analyze JSON logs with ChaosSearch:

 

 

3. Store Data Efficiently and Cost-Effectively

Amazon S3. Object storage built to store and retrieve any amount of data from anywhere.As we noted, storing log and metrics data in AWS CloudWatch may not always be the most practical or cost-effective approach – especially if you need to retain data for an extended period due to compliance obligations or the untold value the long tail of data may bring for security use cases, forensics, or customer and product analytics.

For that reason, choose a log analytics strategy that gives you the flexibility to store your data wherever, and for as long as you would like.

A cost-effective alternative to storing data in CloudWatch is Amazon S3. Amazon S3 and Amazon CloudWatch have similar data storage costs, but CloudWatch also incurs data ingress costs that ultimately make it more expensive for data storage. CloudWatch also treats log storage as a Managed Service, so developer teams can’t access logs in CloudWatch as easily as they can access logs stored in S3.

Even if you use CloudWatch to perform the initial data collection, you can unlock additional value by storing all data centrally in Amazon S3 to enable analytics with a more powerful platform like ChaosSearch.

 

4. Fine-tune your Alarms

While CloudWatch supports basic alerting functionality in the form of alarms, CloudWatch alerts are just that – basic. They enable a limited amount of granularity, which means it’s difficult to define different alerts for different parts of your workloads. It’s also hard to configure highly dynamic alarms that factor in complex contextual data before determining whether to fire off an alert or not.

So, instead of relying on CloudWatch as your primary alerting and monitoring tool, look for an external solution that provides more control over alerts with easy integration with any system that supports RESTful webhooks and platforms like PagerDuty, OpsGenie, Slack, Microsoft Teams, and ServiceNow.

 

5. Make Your Log Data Actionable

CloudWatch can help you visualize your log data, but it’s not very useful if you need to search through the data or run complex queries on it.

To do these things, you’ll need to extend your log analytics strategy with other tools that support sophisticated log queries and that you can use to parse multiple logs at once. CloudWatch’s query engine just isn’t powerful enough to deliver deep, granular insights in many cases.

 

5 Best Practices for Streaming Analytics in AWS S3. Check out the blog!

 

Extend Your AWS Log Analytics Strategy with ChaosSearch

CloudWatch is a valuable tool for gaining a quick overview of the status of AWS workloads, but it’s rarely sufficient on its own as the foundation for a complete log analytics and cloud monitoring strategy.

To overcome the most common CloudWatch pain points, you’ll need to extend your AWS log analytics strategy with a solution like ChaosSearch that supports diverse query types and log data from sources outside AWS.

ChaosSearch is a cloud-native data lake platform that enables log analytics at scale across multiple cloud environments. With ChaosSearch, developer teams can cost-effectively collect and aggregate log data from sources across multiple cloud environments directly in Amazon S3. As the log data arrives in Amazon S3 buckets, ChaosSearch automatically indexes those logs to enable SQL, full-text search, and Gen AI queries with no costly data movement or re-indexing.

 

Better CloudWatch Log Analysis with ChaosSearch

ChaosSearch users can stream log data into Amazon S3, then index, transform, and query the data using ChaosSearch to support cloud observability, security operations, and application monitoring use cases.

 

With ChaosSearch, developers can reduce their logging costs while enabling powerful use cases like cloud infrastructure observability, security operations and threat hunting, application performance monitoring, and user behavior analytics.

 

Ready to learn more?

Read our exclusive white paper Beyond Observability: The Hidden Value of Log Analytics to discover how you can optimize AWS log analytics and gain insights from your log data with ChaosSearch.

 

Additional Resources

Watch Video: Unleash the Power of Your Log and Event Data, Including AI’s Growing Impact

Read Customer Story: Fintech Saves 70% in Logging Costs by Pairing ChaosSearch with Splunk

Download Fact Sheet: 5 Log Analytics Obstacles Equifax Overcame with ChaosSearch

About the Author, Dave Armlin

Dave Armlin is the VP Customer Success of ChaosSearch. In this role, he works closely with new customers to ensure successful deployments, as well as with established customers to help streamline integrating new workloads into the ChaosSearch platform. Dave has extensive experience in big data and customer success from prior roles at Hubspot, Deep Information Sciences, Verizon, and more. Dave loves technology and balances his addiction to coffee with quality time with his wife, daughter, and son as they attack whatever sport is in season. He holds a Bachelor of Science in Computer Science from Northeastern University. More posts by Dave Armlin