Set up AWS API Gateway logging with AWS Lambda

Created:
March 13, 2023
Updated:
December 6, 2024

The AWS API Gateway Logging with AWS Lambda integration automates the collection and analysis of logs from your AWS API Gateway, giving you valuable insights into performance and issues for better monitoring and troubleshooting.

This integration uses AWS Lambda to handle log data, and a CloudFormation template deploys the required resources and configurations. Once set up, logs are sent to CloudWatch, where FireTail processes them for analysis.

To start logging, the integration must be attached to each relevant API.

Create an API Gateway logging integration

1. Navigate to Integrations in the FireTail platform. Select the Create Integration tab.

2. Click FireTail API Gateway logging with AWS Lambda.

3. In the Name of Integration field, enter a name for the integration.

4. Select the AWS Region to deploy the integration to.

5. Select an application from the dropdown, or click Create to create a new application. This is the application that will be associated with the integration. Learn more about applications here.

6. Under App Token, click Create to create a token. Enter a name for the token. Click Submit. Copy the app token. This is needed when the template is launched.

7. Log in to AWS.

8. In FireTail, click Launch CloudFormation to launch the template. This opens in a new window.

9. The stack name needs to be unique, if you have previously created a stack, enter a unique name into the field.

10. Paste the app token into the FTAPPKEY field.

11. Select the checkboxes. Click Create Stack.

12. When the CloudFormation Stack has a status of CREATE_COMPLETE, copy the FiretailRoleARN and the FiretailCloudwatchARN from the Outputs tab.

13. Paste the above data into the FireTail platform into the AWS Cloudwatch group ARN and AWS Role Arn fields respectively.

14. Click Submit.

Set up logging on the API Gateway

When the integration has been created you must attach it to every API Gateway API that you want the logging for. This needs to be done for logging to start.

To attach an integration:

1. In the AWS Management Console, search for API Gateway and open it.

2. Locate the API you want to configure and select it.

3. In the left menu, go to Stages.

4. Go to Logs and Tracing and click Edit.

5. In the Logs and tracing settings, make sure that:

  • CloudWatch logs - Errors only is selected.
  • Data tracing is enabled.

6. In the Access log destination ARN field, enter the ARN from the Outputs tab of the CloudFormation stack used to create the CloudWatch log group.

7. In Log format, add "partial": true to the configuration.

8. Click Save.

9. In AWS, go to CloudWatch and select Log groups from the left menu. A log group will have been created in CloudWatch logs.

10. Locate the log group for your API. The name format is API-Gateway-Execution-Logs_<API-ID>/<stage-name>.

  • For example: API-Gateway-Execution-Logs_10ap38wd95/dev
  • To find the API ID and Stage name, return to API Gateway and open the API.

11. Open the selected log group.

12. A subscription filter needs to be added to the Log group. Go to the Subscription filters tab. Click Create and select Create Lambda subscription filter.

13. This subscription filter needs to be pointed to the Lambda that was deployed: 

  • Go to the Resources tab in the CloudFormation stack used to deploy the Lambda, and locate the Lambda function name under Physical ID.
  • Return to the Create Lambda subscription filter page and select the Lambda function field dropdown, locate the Lambda function name.

14. Under Configure log format and filters, locate the Subscription filter name field enter a name in this field - (e.g., send to firetail).

15. Click Start Streaming.

Repeat these steps for every API you want to add the integration to.