Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Monitor infrastructurebreadcrumb arrow Cloud Provider Observabilitybreadcrumb arrow AWS observabilitybreadcrumb arrow AWS logsbreadcrumb arrow Logs with Lambda
Grafana Cloud

Logs with Lambda

Send AWS log data from multiple services to Grafana Cloud using Lambda Promtail, a Lambda function that forwards logs to your stack using the Loki push API. Since AWS invokes the function only when new log data is available, you don’t have an always-on agent.

In the Cloud Provider Observability UI, you can generate a CloudFormation template or Terraform snippets, API credentials, and your Loki write endpoint, all of which you need to configure logs with Lambda.

For self-managed setups (container image from Amazon Elastic Container Registry (Amazon ECR), Amazon Kinesis, SQS, advanced relabeling), refer to the Lambda Promtail client documentation.

Supported log sources

Cloud Provider Observability supports the following AWS log sources:

Log sourceDescription
Amazon CloudWatch LogsLog groups from any CloudWatch-instrumented service (Lambda, ECS, EC2, and so on)
AWS CloudTrailAPI activity and management event logs
VPC Flow LogsNetwork traffic logs for your VPCs
Application Load Balancer (ALB) access logsHTTP request logs from ALB instances
CloudFront access logsCDN access logs stored in S3
Amazon Kinesis Data StreamsReal-time streaming log data

Choose a configuration guide

If your logs are…Follow
In Amazon CloudWatch Logs (subscription filter to Lambda)Configure Amazon CloudWatch Logs with Lambda
Application Load Balancer access logs in S3 (often with EventBridge)Configure Application Load Balancer logs

Other S3-based AWS logs (for example AWS CloudTrail, Amazon VPC Flow Logs, or Amazon CloudFront access logs) use the same general pattern as load balancer logs: objects land in S3, then S3 or EventBridge triggers lambda-promtail. Use the ALB guide for the Grafana Cloud workflow, then adapt bucket names and permissions using the Lambda Promtail client reference and example Terraform.

How it works

  1. You deploy lambda-promtail in your AWS account.
  2. When a log event occurs, the source service writes logs to CloudWatch or an S3 bucket, depending on the service.
  3. The Lambda Promtail function is triggered by that event - either a CloudWatch subscription filter or an S3 (or EventBridge) notification.
  4. The Lambda Promtail function batches lines and pushes them to Grafana Cloud using the Loki push API.
  5. Your logs are available in Cloud Provider Observability in Grafana Cloud.

After logs arrive in Grafana Cloud Provider, you can:

  • Query them using LogQL.
  • Set up alerts based on log content.
  • Perform cross-account and cross-region querying without additional configuration.

Note

Forwarding from CloudWatch Logs does not remove CloudWatch charges; you still pay AWS for ingestion and storage there.

Deployment options

Logs with Lambda can be deployed with either of the following methods:

  • Terraform, for repeatable infrastructure-as-code deployments with support for arrays of log groups, buckets, and network settings
  • CloudFormation, for AWS-native infrastructure definitions

Labels

lambda-promtail attaches internal labels you can use in LogQL. The following are the ones most Grafana Cloud users need. A full list, relabeling (RELABEL_CONFIGS), and behavior for Amazon Kinesis and multi-tenant setups are documented in the Lambda Promtail client documentation.

LabelWhen it appearsMeaning
__aws_log_typeMost eventsSource class (for example CloudWatch vs S3 LB).
__aws_cloudwatch_log_groupCloudWatch pathCloudWatch log group name.
__aws_cloudwatch_log_streamCloudWatch path, if KEEP_STREAM=trueCloudWatch log stream name.
__aws_cloudwatch_ownerCloudWatch pathAWS account ID of the log group owner.
__aws_s3_log_lbALB / S3 LB-style access logsLoad balancer name.
__aws_s3_log_lb_ownerALB / S3 LB-style access logsAWS account ID that owns the load balancer.

Extra labels: You can add comma-separated pairs (for example env,prod,team,platform) using the EXTRA_LABELS environment variable or CloudFormation ExtraLabels. These extra labels appear as __extra_<name>=<value> on log lines.

For sample queries after setup, refer to the Explore logs section in Configure CloudWatch logs with Lambda or Configure Application Load Balancer logs.

Limitations and considerations

Keep the following in mind when using Logs with Lambda:

  • CloudWatch-based collection is still subject to CloudWatch ingestion and retention costs.
  • Some AWS log formats, such as default VPC Flow Logs, do not include a source timestamp, so the observed timestamp can reflect processing time instead.
  • If you preserve high-cardinality identifiers such as log streams, label cardinality can increase significantly.
  • Some advanced deployment patterns may require modifying the provided Terraform or CloudFormation templates.