Sazabi
Data SourcesNative Data Sources

AWS CloudWatch Logs

Forward logs from AWS CloudWatch to Sazabi for AI-powered analysis and investigation.

AWS CloudWatch Logs is a native data source. Sazabi creates CloudWatch Logs subscription filters to forward logs from your selected log groups automatically.

About this data source

When you connect your AWS account, Sazabi provisions subscription filters on your CloudWatch log groups. These filters stream matching log events to Sazabi's intake in real-time, giving you:

  • Automatic log forwarding without managing infrastructure
  • Real-time streaming as logs are written to CloudWatch
  • Selective forwarding from specific log groups
  • AI-powered analysis and investigation of your AWS logs

Prerequisites

Before you begin, make sure you have:

  • An AWS account with CloudWatch Logs enabled
  • Log groups containing the logs you want to forward
  • IAM permissions to create subscription filters (or the ability to create an IAM role)

Setup

Open data source settings

Data Sources

Log in to Sazabi and go to Settings > Data Sources > Add Source.

Select AWS CloudWatch Logs from the list of available data sources.

Choose connection method

Sazabi supports two methods for connecting to your AWS account:

The IAM Role method is more secure because it does not require sharing long-lived credentials.

  1. Create a new IAM role in your AWS account
  2. Set the trusted entity to Sazabi's AWS account ID (provided in the dashboard)
  3. Add the required permissions policy (shown below)
  4. Copy the Role ARN and External ID into Sazabi

Required IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeSubscriptionFilters",
        "logs:PutSubscriptionFilter",
        "logs:DeleteSubscriptionFilter"
      ],
      "Resource": "*"
    }
  ]
}

Access keys are less secure than IAM roles. Only use this method if IAM roles are not possible in your environment.

  1. Create an IAM user with programmatic access
  2. Attach the required permissions policy (same as IAM Role method)
  3. Generate an access key pair
  4. Enter the Access Key ID and Secret Access Key in Sazabi

Select log groups

After authenticating, Sazabi displays a list of your CloudWatch log groups. Select the log groups you want to forward to Sazabi.

Each AWS account can have a maximum of 2 subscription filters per log group. If you already have subscription filters configured, you may need to remove one before Sazabi can create its filter.

Confirm and connect

Review your selections and click Connect. Sazabi will create subscription filters on each selected log group. Logs will begin flowing within a few minutes.

What Sazabi creates

When you connect AWS CloudWatch Logs, Sazabi provisions the following resources in your AWS account:

  • Subscription filter on each selected log group, configured to forward all log events
  • Destination pointing to Sazabi's regional intake endpoint

These resources are created in your AWS account and are visible in the CloudWatch console under each log group's subscription filters.

Verifying logs are flowing

Once connected, you can verify that logs are flowing to Sazabi:

  1. Ask the assistant: Open a thread in Sazabi and ask "Show me recent CloudWatch logs" or "What errors appeared in my Lambda logs in the last hour?"

  2. Check the dashboard: Navigate to your project in the Sazabi dashboard to see logs appear in real-time.

  3. Generate test logs: Trigger an action in your AWS environment (such as invoking a Lambda function) and verify the logs appear in Sazabi.

Disconnecting

When you disconnect AWS CloudWatch Logs from Sazabi:

  • Sazabi automatically removes all subscription filters it created
  • No logs are deleted from CloudWatch
  • Historical logs already sent to Sazabi remain available until retention expires

To disconnect, go to Settings > Data Sources, find your CloudWatch connection, and click Disconnect.

Troubleshooting

Missing IAM permissions

Sazabi requires logs:PutSubscriptionFilter and logs:DeleteSubscriptionFilter permissions. Verify your IAM role or user has the correct policy attached. Check the IAM policy simulator to confirm permissions.

Subscription filter limit reached

AWS allows a maximum of 2 subscription filters per log group. If you see this error, remove an existing subscription filter from the log group in the CloudWatch console, then retry the connection in Sazabi.

Log group not appearing

Sazabi lists log groups from the AWS region(s) you selected. Verify the log group exists in the expected region. Also check that your IAM permissions include logs:DescribeLogGroups.

Logs not arriving

  • Verify the subscription filter was created in the CloudWatch console
  • Check that new log events are being written to the log group
  • Confirm your Sazabi API key is valid and the project is active
  • Allow a few minutes for logs to propagate through the pipeline

Overview

Connect your cloud platforms to Sazabi with automatic log forwarding - no infrastructure setup required.

Google Cloud Logging

Forward logs from Google Cloud Logging to Sazabi for AI-powered analysis and investigation.

On this page

About this data sourcePrerequisitesSetupOpen data source settingsChoose connection methodSelect log groupsConfirm and connectWhat Sazabi createsVerifying logs are flowingDisconnectingTroubleshooting