Monday, November 21, 2016

Lambda Logging to Cloudwatch

If you're an AWS user, either professionally or personally, I can't encourage you enough to try it out. Lambda is the ability to run code in a few different languages (currently Python, Node, and Java) without worrying about the server environment it runs on.

Unfortunately (or fortunately, depending on your perspective) as with any new technology or paradigm, there are caveats to Lambda.

For example, one problem we've solved with Lambda is monitoring web services endpoints. Lambda allows us to make an HTTP call to a web service using the python httplib. But because the python script is being run on a server we don't control or configure, it isn't configured to point to our DNS servers by default. You can imagine our initial confusion when the lambda function said the web service was unavailable, but we never saw any traffic to the service.

The best way we found to gain insight into what lambda is actually doing is by logging from Lambda to a cloudwatch log stream. This allows you to output logs and put retention policies on them. Amazon has been helpful enough to tie the built in python logger into Cloudwatch. All you really have to do is to create a logging object similar to the example below

Below is an example

Your logs will then be dumped into a log stream that is named "/aws/lambda/<your function name>"

One thing to note is that from my experience you can't control the name of the log stream. Even if you create the logger with "logger = logging.getLogger('LogName')" the logstream will be named after the Lambda function.

To give your Lambda function permissions to log to Cloudwatch it will need to run under a role that has permissions. The IAM role should allow Lambda resources to run under it, for example

And then you will need to give it permissions similar to the following (plus whatever rights your lambda function needs for it's actual work)