Amazon provides us with CloudWatch logs to monitor, store and access log from various AWS services
By default CloudWatch Logs are kept indefinitely and never expire. We are allowed to set a retention period and at present it can be set to a period between 10 years and one day.
One of the big users of CloudWatch Logs is Lambda service. All logging statements from Lambda are written to CloudWatch Logs. As Lambda usage grows in an account, so will the amounts of logs in CloudWatch Logs.
All Lambda functions by default will create a Log Group inside CloudWatch logs matching their name. As an example, a HellowWorld Lambda function will create a Log Group /aws/lambda/HelloWorld with retention period set to ‘Never Expire’
In an AWS account with a lot of work going on in Serverless space one could end up with many log group which retain logs indefinitely.
Amazon has given us the ability to change the retention period therefore as an admin we should periodically review and set accordingly. However, in a multi-region account doing this weekly or daily can be a burden.
Solution
We can write a script or code to take care of this problem for us. In this post I will focus on using a bash shell script to solve this, you could do this via a Lambda function as well if you wish.
Prerequisite
This is a bash script example, you will need a server say something like your bastion host or your Jenkins server that remain up when you want this script to run.
Another way would be to set up a new Item in Jenkins which runs this script periodically. This is my preferred way of doing this. I like to run all my scripts from within Jenkins. It gives me
IAM permission for the user that runs this script or set a IAM role for the server where this script will run.
Script
#!/bin/bash
declare -r retention="30"
for L in $(aws logs describe-log-groups \
--query 'logGroups[?!not_null(retentionInDays)] | [].logGroupName' \
--output text)
do
aws logs put-retention-policy --log-group-name ${L} \
--retention-in-days ${retention}
done
In the script above, the retention days is fixed, but this can be passed as an argument to it.
First, we query all log groups which
After you run this script, you should see the new retention set in the console for the log group.
Further Reading And Improvements
- Pass or set the AWS Region to run this across regions in your account if you have more than one region active.
- Add logging and error handling.
- Setup the script to run from cron or Jenkins
- CloudWatch Logs
- CloudWatch Log Groups and Streams.
That worked perfectly, thanks!
Hi,
You have mentioned log retention can be configured via lambda function as well.
Can you please explain it?
I am supposed to set the log expiry for many lambda functions in one shot, from AWS console I am forced to do it one by one. Is there any way I can do it?
Thanks
Thanks for reading.
So, it wont be from the console, but It is possible to write a Lambda function, say in python, that could run once a day and set expiration period for all the log groups.
I will try to post an example soon.
In this post I show how you can do this using a Lambda Function https://blog.skbali.com/2020/06/set-retention-for-cloudwatch-logs-using-a-lambda-function/