CloudWatch V2 Logs

The CloudWatch V2 log integration ships broker logs from your CloudAMQP cluster to AWS CloudWatch Logs. It uses the OpenTelemetry Protocol (OTLP) over HTTP with AWS SigV4 authentication, and IAM role assumption. No access keys need to be shared.

Prerequisites

The log group and log stream must already exist in your AWS account before logs can be shipped. Create them in the AWS CloudWatch console under Logs → Log groups:

  • Create a log group, or use the default name CloudAMQP (pre-filled in the integration form). Here you can also specify retention and tags for the log group.
  • Inside the log group, create a log stream, or use the default name which is your CloudAMQP cluster name (pre-filled in the integration form). All nodes in your cluster will ship logs to the same log stream. Each node can be identified by the attribute resource.attribute.host.name

Authentication

This integration uses IAM role assumption. CloudAMQP assumes a role in your account using our service user and the External ID you provide. You only need to share the role ARN with CloudAMQP.

Step 1 Create the IAM role

In the AWS IAM console, create a new role. When asked for the trusted entity type, choose Custom trust policy (you will fill this in Step 2).

Attach the following permission policy to the role. Replace YOUR_ACCOUNT_ID with your AWS account ID and YOUR_LOG_GROUP with the name of the log group you created (default: CloudAMQP ):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "logs:PutLogs",
      "Resource": "arn:aws:logs:*:YOUR_ACCOUNT_ID:log-group:YOUR_LOG_GROUP"
    }
  ]
}

The single logs:PutLogs permission is all that is required. This is the IAM action that covers the CloudWatch Logs OTLP ingestion endpoint and is more restrictive than the classic PutLogEvents API.

Step 2 Set the trust relationship

Set the role's trust policy to allow CloudAMQP to assume it. Replace YOUR_EXTERNAL_ID with the External ID shown in the integration form in the CloudAMQP console (or omit the Condition block entirely if you choose not to use an External ID):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::714915985929:user/cloudamqp-metrics-publisher"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

The principal arn:aws:iam::714915985929:user/cloudamqp-metrics-publisher is the real CloudAMQP service user ARN, copy it as-is.

Setting up in the CloudAMQP console

Open the CloudAMQP console, go to Integrations → Add log integration → CloudWatch V2, and fill in the following fields:

Role ARN
The ARN of the role you created in Step 1, e.g. arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME
External ID
Optional. Use the auto-generated value or enter your own, it must match the value set in the trust policy.
Region
The AWS region where your log group is located, e.g. us-east-1
Log group
The name of the log group in CloudWatch Logs. Defaults to CloudAMQP or set your own. The log group must already exist in your AWS account.
Log stream
The name of the log stream within the log group. Defaults to your cluster name or set your own. The log stream must already exist within the log group in your AWS account.

Click Save to activate the integration. Logs will begin shipping within a few minutes.

Log record format

Each log record arrives in CloudWatch as a structured JSON object in the OpenTelemetry log data model. Here is an example record from a RabbitMQ node:

{
  "resource": {
    "attributes": {
      "service.name": "my-cluster-name",
      "host.name": "my-cluster-name-01"
    }
  },
  "scope": {},
  "timeUnixNano": 1749999999483021000,
  "observedTimeUnixNano": 1749999999864126106,
  "severityNumber": 9,
  "severityText": "INFO",
  "body": "accepting AMQP connection 18.216.156.227:13208 -> 10.56.72.78:5672\n",
  "attributes": {
    "appname": "rabbitmq"
  },
  "traceId": "",
  "spanId": ""
}

Notable fields:

  • resource.attributes.service.name — your CloudAMQP cluster name
  • resource.attributes.host.name — the individual node hostname, useful for filtering on multi-node clusters
  • severityNumber — mapped from the journald PRIORITY field following the OpenTelemetry severity spec (e.g. DEBUG = 5, INFO = 9, WARN = 13, ERROR = 17, FATAL = 21)
  • attributes.appname — always rabbitmq or lavinmq

← Back to Log Integrations

↑ Back to top