Where to find the logs for Lambda@Edge?

Question

As one of the steps for the previous problem I've faced, I need to see the logs for some Lambda@Edge but I cannot find them anywhere.

According to the documentation on Lambda@Edge:

When you review CloudWatch log files or metrics when you're troubleshooting errors, be aware that they are displayed or stored in the Region closest to the location where the function executed. So, if you have a website or web application with users in the United Kingdom, and you have a Lambda function associated with your distribution, for example, you must change the Region to view the CloudWatch metrics or log files for the London AWS Region.

The lambda function I'm trying to find the logs for is located in us-east-1 (mandated by CloudFront since it is used as a distribution's event handler) while I'm in Canada so I assume the closest region would be ca-central-1. But since I'm not developing in ca-central-1, I don't have any log groups in that region. In any case, I don't see the logs for my Lambda@Edge. For the sake of completeness, I checked all the regions and I couldn't find any trace of logs for the lambda function. To be clear, I'm looking for a log group with the lambda function's name.

I'm positive that there should be logs since I have console.log() in my code and also I can download the content requested (the lambda function is in charge of selecting the S3 bucket holding the contents) which means the lambda function was successfully executed. If it wasn't, I should have not been able to get the S3 content.

Where can I find the logs for my Lambda@Edge function?

score 26 · Accepted Answer · edited Sep 29 '21 at 06:50

26

For anyone else who might be facing the same issue, use the script mentioned in the same documentation page to find your log groups:

FUNCTION_NAME=function_name_without_qualifiers
for region in $(aws --output text  ec2 describe-regions | cut -f 4) 
do
    for loggroup in $(aws --output text  logs describe-log-groups --log-group-name "/aws/lambda/us-east-1.$FUNCTION_NAME" --region $region --query 'logGroups[].logGroupName')
    do
        echo $region $loggroup
    done
done

Create a file, paste the above script in it, replace the function_name_without_qualifiers with your function's name, make it executable and run it. It will find you the regions and log groups for your Lambda@Edge. The lesson learnt here is that the log group is not named like ordinary log groups. Instead it follows this structure:

/aws/lambda/${region}.${function_name}

edited Sep 29 '21 at 06:50

esamatti

18,293
11
75
82

answered Jan 08 '19 at 17:02

Mehran

15,593
27
122
221

2

CloudFront had two layers of edges -- the outer "global" edges and the inner "regional" edges. Cache misses go from global to regional to origin, and Lambda@Edge functions typically run -- and log -- in the region of the [regional edge](https://aws.amazon.com/cloudfront/features/#edge-locations) nearest the viewer. Testing suggests you should find these typically go to either us-east-1 or us-east-2 due to their proximity to Canada, even though the function is actually declared in us-east-1. It gets replicated to all the others. – Michael - sqlbot Jan 09 '19 at 01:02
6

Note the format of the output data from describe-regions has changed and you now need to `cut -f 4` – geoff.weatherall May 20 '20 at 04:30
1

Tiny script based on this answer: https://github.com/walkermatt/dotbin/blob/50df03e61a81861c863dbbc0b3bf73fdb0ce1a6e/find-lambda-edge-logs – walkermatt Mar 08 '21 at 14:50
Hi @walkermatt, I am getting below error while running the script. ' doesn't match a supported format. An error occurred (InvalidParameterException) when calling the DescribeLogGroups operation: 1 validation error detected: Value 'C:/Users/x0120370/AppData/Local/Programs/Git/aws/lambda/sigv4-request-to-s3' at 'logGroupNamePrefix' failed to satisfy constraint: Member must satisfy regular expression pattern: [\.\-_/#A-Za-z0-9]+ – Kiran Patil Jan 28 '22 at 11:42
@KiranPatil it looks as though you are using WSL given the file path, I've only tested on Linux/ Bash. I'd expect the script to be called like so: `./find-lambda-edge-logs sigv4-request-to-s3` – walkermatt Jan 31 '22 at 10:16
I found logs in my region from where I logged in to AWS account. – Kiran Patil Feb 01 '22 at 08:49

score 3 · Answer 2 · answered Mar 11 '21 at 10:09

It seems that the format of log describe-log-groups has also changed. When I tryed the script, it returned nothing. But with "/aws/lambda/$FUNCTION_NAME" instead of "/aws/lambda/us-east-1.$FUNCTION_NAME" the script returns the list of group with the following structure:

${region} /aws/lambda/${function_name}

score 0 · Answer 3 · answered Aug 24 '22 at 08:56

Last but not least would be good to check Lambda's role permissions.

In my case that was the problem, because by default it allowed writing logs only to 1 region (us-east-1).

Here is how my policy looks like now:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:*:{account-id}:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:{account-id}:log-group:/aws/lambda/{function-name}:*"
            ]
        }
    ]
}

{account-id} - your AWS Account ID

Where to find the logs for Lambda@Edge?

3 Answers3