Query and manage CloudWatch log groups, streams, events, run Insights queries, inspect metric filters and subscriptions, and open the interactive log viewer using awsclaw. Find logs from Lambda, API Gateway, Glue, RDS, ECS, Step Functions, and other AWS services.
Query and manage CloudWatch log groups, streams, events, run Insights queries, and open the interactive log viewer.
Use this skill when the user:
Execute CloudWatch Logs commands including Insights queries. ALWAYS provide params object.
List log groups with optional prefix filter.
{ "command": "DescribeLogGroups", "params": { "logGroupNamePrefix": "/aws/lambda/", "limit": 50 } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupNamePrefix | string | No | Prefix filter for log group names |
| limit | number | No | Maximum items to return |
| nextToken | string | No | Pagination token |
List log streams in a log group.
{ "command": "DescribeLogStreams", "params": { "logGroupName": "/aws/lambda/my-function", "orderBy": "LastEventTime", "descending": true, "limit": 10 } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | Yes | Target log group name |
| logStreamNamePrefix | string | No | Prefix filter for stream names |
| orderBy | string | No | LogStreamName or LastEventTime |
| descending | boolean | No | Sort in descending order |
| limit | number | No | Maximum items to return |
| nextToken | string | No | Pagination token |
Get log events from a specific stream.
{ "command": "GetLogEvents", "params": { "logGroupName": "/aws/lambda/my-function", "logStreamName": "2024/01/01/[$LATEST]abc123", "limit": 100 } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | Yes | Target log group name |
| logStreamName | string | Yes | Target log stream name |
| startTime | number | No | Start time in epoch milliseconds |
| endTime | number | No | End time in epoch milliseconds |
| startFromHead | boolean | No | Start from the beginning of the stream |
| limit | number | No | Maximum events to return |
| nextToken | string | No | Pagination token |
Search/filter log events across streams in a log group.
{ "command": "FilterLogEvents", "params": { "logGroupName": "/aws/lambda/my-function", "filterPattern": "ERROR" } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | Yes | Target log group name |
| filterPattern | string | No | Search pattern (e.g., ERROR, "status code: 500", { $.level = "ERROR" }) |
| startTime | number | No | Start time in epoch milliseconds |
| endTime | number | No | End time in epoch milliseconds |
| interleaved | boolean | No | Return interleaved results from multiple streams |
| nextToken | string | No | Pagination token |
| limit | number | No | Maximum events to return |
Start a CloudWatch Insights query.
{
"command": "StartQuery",
"params": {
"logGroupName": "/aws/lambda/my-function",
"queryString": "fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20",
"startTime": 1704067200000,
"endTime": 1704153600000
}
}
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | No | Single log group name |
| logGroupNames | array of strings | No | Multiple log group names to query |
| logGroupIdentifiers | array of strings | No | Log group identifiers |
| queryString | string | Yes | CloudWatch Insights query string |
| startTime | number | Yes | Start time in epoch milliseconds |
| endTime | number | Yes | End time in epoch milliseconds |
| maxQueryResults | number | No | Maximum number of query results |
Get results of a CloudWatch Insights query.
{ "command": "GetQueryResults", "params": { "queryId": "12345678-1234-1234-1234-123456789012" } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| queryId | string | Yes | Query ID returned by StartQuery |
Discover fields in a log group for Insights queries.
{ "command": "GetLogGroupFields", "params": { "logGroupName": "/aws/lambda/my-function" } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | Yes | Target log group name |
| time | number | No | Time in epoch milliseconds for field discovery |
List metric filters for a log group.
{ "command": "DescribeMetricFilters", "params": { "logGroupName": "/aws/lambda/my-function" } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | No | Target log group name |
| filterNamePrefix | string | No | Metric filter name prefix |
| metricName | string | No | Metric name |
| metricNamespace | string | No | Metric namespace |
List saved CloudWatch Insights query definitions.
{ "command": "DescribeQueryDefinitions", "params": {} }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| maxQueryResults | number | No | Maximum results |
List subscription filters for a log group.
{ "command": "DescribeSubscriptionFilters", "params": { "logGroupName": "/aws/lambda/my-function" } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | Yes | Target log group name |
List log destinations.
{ "command": "DescribeDestinations", "params": {} }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| destinationNamePrefix | string | No | Destination name prefix |
Create a new log group.
{ "command": "CreateLogGroup", "params": { "logGroupName": "/aws/lambda/new-func" } }
Create a new log stream in a log group.
{ "command": "CreateLogStream", "params": { "logGroupName": "/aws/lambda/new-func", "logStreamName": "manual" } }
Put log events to a log stream.
{ "command": "PutLogEvents", "params": { "logGroupName": "/aws/lambda/new-func", "logStreamName": "manual", "logEvents": [{ "timestamp": 1704067200000, "message": "hello" }] } }
Set retention policy for a log group.
{ "command": "PutRetentionPolicy", "params": { "logGroupName": "/aws/lambda/new-func", "retentionInDays": 30 } }
Create or update a metric filter.
{ "command": "PutMetricFilter", "params": { "logGroupName": "/aws/lambda/new-func", "filterName": "ErrorCount", "filterPattern": "ERROR", "metricTransformations": [{ "metricName": "ErrorCount", "metricNamespace": "App", "metricValue": "1" }] } }
Create or update a subscription filter.
{ "command": "PutSubscriptionFilter", "params": { "logGroupName": "/aws/lambda/new-func", "filterName": "to-kinesis", "filterPattern": "", "destinationArn": "arn:aws:kinesis:..." } }
Create or update a resource policy.
{ "command": "PutResourcePolicy", "params": { "policyName": "cw-policy", "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"logs:PutLogEvents\"],\"Resource\":[\"*\"]}]}" } }
Delete a log group.
{ "command": "DeleteLogGroup", "params": { "logGroupName": "/aws/lambda/old-func" } }
Delete a log stream.
{ "command": "DeleteLogStream", "params": { "logGroupName": "/aws/lambda/new-func", "logStreamName": "manual" } }
Delete a metric filter.
{ "command": "DeleteMetricFilter", "params": { "logGroupName": "/aws/lambda/new-func", "filterName": "ErrorCount" } }
Delete a subscription filter.
{ "command": "DeleteSubscriptionFilter", "params": { "logGroupName": "/aws/lambda/new-func", "filterName": "to-kinesis" } }
Remove retention policy (reverts to Never Expire).
{ "command": "DeleteRetentionPolicy", "params": { "logGroupName": "/aws/lambda/new-func" } }
Delete a resource policy.
{ "command": "DeleteResourcePolicy", "params": { "policyName": "cw-policy" } }
Tag a log group.
{ "command": "TagLogGroup", "params": { "logGroupName": "/aws/lambda/new-func", "tags": { "env": "prod" } } }
Remove tags from a log group.
{ "command": "UntagLogGroup", "params": { "logGroupName": "/aws/lambda/new-func", "tagKeys": ["env"] } }
Open the interactive CloudWatch Log Viewer in VS Code.
{ "command": "OpenCloudWatchLogView", "params": { "logGroupName": "/aws/lambda/my-function", "logStreamName": "2024/01/01/[$LATEST]abc123" } }
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| logGroupName | string | Yes | Log group name to open |
| logStreamName | string | No | Specific log stream to open |
Use these patterns to find logs from specific AWS services:
| AWS Service | Log Group Pattern | Example |
|---|---|---|
| Lambda | /aws/lambda/{functionName} | /aws/lambda/my-api-handler |
| API Gateway | API-Gateway-Execution-Logs_{restApiId}/{stageName} | API-Gateway-Execution-Logs_abc123/prod |
| Glue | /aws-glue/jobs/output | /aws-glue/jobs/output |
| Glue | /aws-glue/jobs/error | /aws-glue/jobs/error |
| Glue Crawlers | /aws-glue/crawlers | /aws-glue/crawlers |
| RDS | /aws/rds/instance/{instanceId}/{logType} | /aws/rds/instance/mydb/error |
| RDS Aurora | /aws/rds/cluster/{clusterId}/{logType} | /aws/rds/cluster/mycluster/audit |
| ECS | /ecs/{serviceName} or custom | /ecs/my-service |
| Step Functions | /aws/vendedlogs/states/{name} | /aws/vendedlogs/states/MyStateMachine |
| CloudTrail | aws-cloudtrail-logs-{accountId}-{hash} | aws-cloudtrail-logs-123456789012-abcdef |
| VPC Flow Logs | Custom (check EC2 flow log config) | /vpc/flow-logs |
| AppSync | /aws/appsync/apis/{apiId} | /aws/appsync/apis/abc123 |
| CodeBuild | /aws/codebuild/{projectName} | /aws/codebuild/my-build |
Find errors across Lambda functions:
fields @timestamp, @message
| filter @message like /ERROR/
| sort @timestamp desc
| limit 50
Count errors by function:
stats count(*) as errorCount by @logStream
| filter @message like /ERROR/
| sort errorCount desc
Latency analysis:
filter @type = "REPORT"
| stats avg(@duration) as avgDuration, max(@duration) as maxDuration, min(@duration) as minDuration by bin(1h)
/aws/lambda/{functionName}. Use LambdaTool GetFunctionConfiguration to get function detailsAPI-Gateway-Execution-Logs_{id}/{stage}. Use APIGatewayTool GetRestApis to find API IDs/aws-glue/jobs/output. Use GlueTool GetJobRuns to correlate job runs with log timestamps/aws/rds/instance/{id}/{type}. Use RDSTool DescribeDBInstances to find instance IDsEC2Tool DescribeFlowLogs to find log group/aws/vendedlogs/states/{name}. Use StepFuncTool to find state machine details