Skip to content

Cloudwatch acquisition

This module allows crowdsec-agent to acquire logs from AWS's cloudwatch service, in one-shot and streaming mode.


To monitor a given stream within a group :

source: cloudwatch
group_name: /aws/my/group/
stream_name: 'given_stream'
aws_profile: monitoring
aws_config_dir: /home/user/.aws/
  type: apigateway

To monitor streams matching regexp within a group :

source: cloudwatch
group_name: /aws/my/group/
stream_regexp: '^stream[0-9]+$'
aws_profile: monitoring
  type: apigateway

Look at the configuration parameters to view all supported options.

Configuration parameters


Name of the group to monitor, exact match.


A RE2 expression that will restrict streams within the group that will be monitored.


Name of stream to monitor, exact match.


  • describelogstreams_limit : control the pagination size of describelogstreams calls (default: 1000)
  • getlogeventspages_limit : control the pagination size of getlogeventspages calls (default: 1000)


note : AWS SDK allows to identify streams according to the timestamp of the latest even within, and this is what we rely on.

  • poll_new_stream_interval : frequency to poll for new stream within given group (default 10s)
  • max_stream_age : open only streams for which last event is at most this age (default 5m)
  • poll_stream_interval : frequency to poll for new events within given group (default 10s)
  • stream_read_timeout : stop reading a given stream when no new events have been seen for this duration (default 10m)


When set to true (default: false), prepend the cloudwatch event timestamp to the generated log string. This is intended for cases where you log itself wouldn't contain timestamp.


The aws profile to use to poll cloudwatch, relies on your ~/.aws/config/.


The path to your ~/.aws/, defaults to /root/.aws.

DSN and command-line

cloudwatch implements a very approximative DSN, as follows : cloudwatch:///your/group/path:stream_name?[args]

Supported args are :

  • log_level : set log level of parser
  • profile : set aws profile name
  • start_date / end_date : provide start and end date limits for events, see supported formats
  • backlog : provide a duration, events from now()-duration till now() will be read


This data source lacks unit tests because mocking aws sdk is fastidious.