---
title: "AWS CloudWatch"
description: "Learn how to forward AWS CloudWatch logs to Sentry via the OpenTelemetry Protocol (OTLP)."
url: https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch/
---

# AWS CloudWatch Logs

This guide shows you how to collect AWS CloudWatch logs and forward them to Sentry using the OpenTelemetry Collector with the [AWS CloudWatch Receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awscloudwatchreceiver).

## [Prerequisites](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#prerequisites)

Before you begin, ensure you have:

* AWS credentials configured with permissions to read CloudWatch logs
* A Sentry project to send data to

## [Step 1: Install the OpenTelemetry Collector](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#step-1-install-the-opentelemetry-collector)

The AWS CloudWatch Receiver is included in the [OpenTelemetry Collector Contrib](https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib) distribution. You'll need to download and install this version, as the standard `otelcol` binary does not include the AWS CloudWatch Receiver.

Download the latest `otelcol-contrib` binary from the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

## [Step 2: Configure AWS Credentials](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#step-2-configure-aws-credentials)

The AWS CloudWatch Receiver uses the [AWS SDK](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html) for authentication, which supports multiple methods including credentials files and EC2 instance metadata (IMDS).

### [Using an AWS Credentials File](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#using-an-aws-credentials-file)

Configure your AWS credentials using the AWS CLI:

```bash
aws configure
```

This creates a credentials file at `~/.aws/credentials` with your access key and secret.

### [Using IAM Role (EC2)](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#using-iam-role-ec2)

For EC2 environments, attach an IAM role with the `CloudWatchLogsReadOnlyAccess` policy to your instance.

### [Required IAM Permissions](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#required-iam-permissions)

Your AWS credentials need the following permissions:

* `logs:DescribeLogGroups`
* `logs:DescribeLogStreams`
* `logs:GetLogEvents`

## [Step 3: Get Your Sentry OTLP Credentials](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#step-3-get-your-sentry-otlp-credentials)

You'll need your Sentry OTLP endpoint and authentication header. These can be found in your [Sentry Project Settings](https://sentry.io/settings/projects/) under **Client Keys (DSN)** > **OpenTelemetry (OTLP)**.

### [Logs Endpoint](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#logs-endpoint)

```bash
___OTLP_LOGS_URL___
```

### [Authentication Header](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#authentication-header)

```bash
x-sentry-auth: sentry sentry_key=___PUBLIC_KEY___
```

## [Step 4: Configure the Collector](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#step-4-configure-the-collector)

Create a configuration file with the AWS CloudWatch Receiver and the OTLP HTTP exporter configured to send logs to Sentry.

For additional configuration options, see the [AWS CloudWatch Receiver Documentation](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awscloudwatchreceiver).

### [Collect All Log Groups (Autodiscover)](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#collect-all-log-groups-autodiscover)

This configuration automatically discovers and collects logs from all CloudWatch log groups:

`config.yaml`

```yaml
receivers:
  awscloudwatch:
    region: us-east-1
    logs:
      poll_interval: 1m

processors:
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - awscloudwatch
      processors:
        - batch
      exporters:
        - otlphttp/sentry
```

### [Collect Specific Log Groups by Prefix](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#collect-specific-log-groups-by-prefix)

This configuration discovers log groups matching a specific prefix, useful for collecting logs from specific AWS services like EKS or Lambda:

`config.yaml`

```yaml
receivers:
  awscloudwatch:
    region: us-east-1
    logs:
      poll_interval: 1m
      groups:
        autodiscover:
          limit: 100
          prefix: /aws/lambda/

processors:
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - awscloudwatch
      processors:
        - batch
      exporters:
        - otlphttp/sentry
```

### [Collect Named Log Groups](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#collect-named-log-groups)

This configuration collects logs from specific, named log groups:

`config.yaml`

```yaml
receivers:
  awscloudwatch:
    region: us-east-1
    logs:
      poll_interval: 1m
      groups:
        named:
          /aws/lambda/my-function:
          /aws/eks/my-cluster/cluster:

processors:
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - awscloudwatch
      processors:
        - batch
      exporters:
        - otlphttp/sentry
```

## [Troubleshooting](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#troubleshooting)

* Verify your AWS credentials are correctly configured and have the required permissions
* Ensure the specified AWS region matches where your CloudWatch log groups are located
* Check that the log group names or prefixes match existing CloudWatch log groups

## [Additional Resources](https://docs.sentry.io/concepts/otlp/forwarding/sources/aws-cloudwatch.md#additional-resources)

* [AWS CloudWatch Receiver Documentation](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awscloudwatchreceiver)
* [AWS SDK Authentication](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html)
* [Sentry OpenTelemetry Collector Configuration](https://docs.sentry.io/concepts/otlp/forwarding/pipelines/collector.md)
* [Sentry Logs](https://docs.sentry.io/product/explore/logs.md)