Cloudwatch Logs
Sync Type: Incremental
Overview
Collects log events from AWS CloudWatch Logs to monitor application logs, system logs, and AWS service logs across your environment for security analysis and operational insights.
Functionality
On initialization, Monad discovers all CloudWatch log groups in the specified region. For each log group, the connector retrieves log events using time-based filtering and maintains state to ensure incremental updates on subsequent runs. Only new log events since the last sync are collected, minimizing duplicates and API calls.
Requirements
- IAM Role Assumption / Static Credentials
- Example permission to attach to the role/user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:FilterLogEvents"
],
"Resource": "*"
}
]
}
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Region | string | Yes | The AWS region where Cloudwatch is enabled. |
| Role ARN | string | Yes | The ARN of the IAM role to assume for accessing Cloudwatch. |
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets (Static Credentials Only)
| Setting | Type | Required | Description |
|---|---|---|---|
| Access Key | string | Conditional | AWS Access Key ID |
| Secret Key | string | Conditional | AWS Secret Access Key |
⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.
Related Articles
Sample Record
{
"EventId": "19290253317859809123455432178906645308301437257699635872",
"IngestionTime": 1761939524706,
"LogStreamName": "EC2-Log-Stream",
"Message": "User login activity",
"Timestamp": 1761939586709
}