The CloudWatch V2 log integration ships broker logs from your CloudAMQP cluster to AWS CloudWatch Logs. It uses the OpenTelemetry Protocol (OTLP) over HTTP with AWS SigV4 authentication, and IAM role assumption. No access keys need to be shared.
The log group and log stream must already exist in your AWS account before logs can be shipped. Create them in the AWS CloudWatch console under Logs → Log groups:
CloudAMQP
(pre-filled in the integration form).
Here you can also specify retention and tags for the log group.
resource.attribute.host.name
This integration uses IAM role assumption. CloudAMQP assumes a role in your account using our service user and the External ID you provide. You only need to share the role ARN with CloudAMQP.
In the AWS IAM console, create a new role. When asked for the trusted entity type, choose Custom trust policy (you will fill this in Step 2).
Attach the following permission policy to the role. Replace
YOUR_ACCOUNT_ID
with your AWS account ID and
YOUR_LOG_GROUP
with the name of the log group you created (default:
CloudAMQP
):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:PutLogs",
"Resource": "arn:aws:logs:*:YOUR_ACCOUNT_ID:log-group:YOUR_LOG_GROUP"
}
]
}
The single
logs:PutLogs
permission is all that is required. This is the IAM action that covers the
CloudWatch Logs OTLP ingestion endpoint and is more restrictive than the
classic
PutLogEvents
API.
Set the role's trust policy to allow CloudAMQP to assume it. Replace
YOUR_EXTERNAL_ID
with the External ID shown in the integration form in the CloudAMQP console
(or omit the
Condition
block entirely if you choose not to use an External ID):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::714915985929:user/cloudamqp-metrics-publisher"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}
The principal
arn:aws:iam::714915985929:user/cloudamqp-metrics-publisher
is the real CloudAMQP service user ARN, copy it as-is.
Open the CloudAMQP console, go to Integrations → Add log integration → CloudWatch V2, and fill in the following fields:
arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME
us-east-1
CloudAMQP
or set your own. The log group must already exist in your AWS account.
Click Save to activate the integration. Logs will begin shipping within a few minutes.
Each log record arrives in CloudWatch as a structured JSON object in the OpenTelemetry log data model. Here is an example record from a RabbitMQ node:
{
"resource": {
"attributes": {
"service.name": "my-cluster-name",
"host.name": "my-cluster-name-01"
}
},
"scope": {},
"timeUnixNano": 1749999999483021000,
"observedTimeUnixNano": 1749999999864126106,
"severityNumber": 9,
"severityText": "INFO",
"body": "accepting AMQP connection 18.216.156.227:13208 -> 10.56.72.78:5672\n",
"attributes": {
"appname": "rabbitmq"
},
"traceId": "",
"spanId": ""
}
Notable fields:
resource.attributes.service.name
— your CloudAMQP cluster name
resource.attributes.host.name
— the individual node hostname, useful for filtering on multi-node clusters
severityNumber
— mapped from the journald
PRIORITY
field following the
OpenTelemetry severity spec
(e.g. DEBUG = 5, INFO = 9, WARN = 13, ERROR = 17, FATAL = 21)
attributes.appname
— always
rabbitmq
or
lavinmq