Debugging with Dashbird: Lambda not Logging to CloudWatch

K - May 11 '21 - - Dev Community

Lambda not logging to CloudWatch? It's actually one of the most common issues that come up. Let's briefly go over why this problem needs to be solved.

CloudWatch is the central logging and monitoring service of the AWS cloud platform. It gives you insights into all the AWS services. Even if you can't deploy and test serverless systems locally, CloudWatch tells you what's happening to them.

Dashbird is built on top of CloudWatch; it lets Dashbird monitor Lambda functions without any code changes. You just install Dashbird's CloudFormation stack to your AWS account, and the insights will pour right in.

Regardless of whether you use Dashbird or just CloudWatch on its own, a Lambda function that isn't logging is a critical problem. So, in this article, we will try to solve this problem once and for all.

Why is Lambda not logging to CloudWatch?

Like with any bug, this one can have multiple causes.

The obvious one is a bug in your code that prevents the log function from being executed in the first place. The less obvious, but still likely, cause is that your Lambda function doesn't have permissions to write log data to CloudWatch. This usually happens when you created your own custom IAM role and forgot to add CloudWatch permissions.

Lambda, like every other AWS service, is governed by IAM roles and policies. If you don't give a Lambda function permission to access other services, the only thing it can do is working on the event data it received.

This is basically like writing a program without any side effects: not helpful at all.

For a Lambda function to be interesting, it needs to write data somewhere. This includes, but is not limited to, creating an object in an S3 bucket or writing a record to DynamoDB and logging strings to CloudWatch.

How do I fix it?

First, you should check your code. IaC frameworks like AWS SAM and AWS CDK are usually pretty good in keeping your Lambda functions supplied with sane permissions. If you don't know what you're doing, you can create security vulnerabilities. Also, if you create a custom role for CloudWatch logging, it won't allow access to services that your Lambda function might need to do its real work, like DynamoDB or S3. This means you need to include permissions for those services manually too.

If you have some logic errors in your code, it's possible that your log statements simply aren't ever reached. So review your code thoroughly and try a simple "Hello, world!" log output function that doesn't do anything else before diving into custom IAM roles.

If you already went the way of custom IAM roles for CloudWatch unrelated reasons, it's possible that you simply forgot to add the right permissions for logging.

In your "infrastructure as code" (IaC) tool, you need to create a custom IAM role for your Lambda function. The function will assume this role then it can access the services defined in its policies.

How to define a custom IAM Role for Lambda?

Let's look at an AWS SAM example:

See our original post for the original code snippets: https://dashbird.io/blog/lambda-not-logging-to-cloudwatch/

Let's look at the important parts. First, we create a CustomRole resource of the type AWS::IAM::Role. Only Lambda functions can assume this role. Next, we give it a WriteLogs policy that includes all the actions we need to write to CloudWatch Logs. The function needs to create log groups and log streams and then be able to put the actual log events into them.

After the role is defined, we connect it with SomeFunction; this gives all the role's permissions to this specific Lambda function.

The implementation details may differ between the different IaC tools out there, but they all have some way to define IAM roles and assign them to Lambda functions.

After you defined the role and assigned it to the Lambda function, you redeploy everything, and your logs should now show up in CloudWatch.

Again, keep in mind that you now have to add permissions to other services manually to the custom role; otherwise, the only thing your Lambda function is allowed to do is logging.

Conclusion

CloudWatch is a crucial service for all your cloud resources. If you want to know what's happening, you need to send your log data to CloudWatch first.

Dashbird, too, uses CloudWatch as a data source for all the insights it creates for you. If no data ends up in CloudWatch, your Lambda functions will be black boxes to you.

Check your code for logic errors, know that it really executes log statements, and have custom IAM roles already; add CloudWatch policies to them.

If you fixed your logging issue and want to be safe from problems in the future, you should try out Dashbird for serverless monitoring. It doesn't require code changes to work with your existing infrastructure, and even gives you insights into problems before they occur.

Further reading:

The Best Practices for Logging AWS Lambdas

AWS Lambda Logging: Error Types

AWS Lambda configuration error

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .