Sazabi
Quickstarts

AWS CloudWatch Quickstart

Send your first CloudWatch logs to Sazabi in 5 minutes

AWS CloudWatch Quickstart

Get your AWS CloudWatch logs flowing to Sazabi in 5 minutes.

Prerequisites

  • Sazabi account
  • AWS account with CloudWatch Logs enabled
  • At least one log group with logs you want to forward
  • IAM permissions to create subscription filters (or ability to create an IAM role)

Step 1: Create an IAM role for Sazabi

Create a new IAM role that allows Sazabi to manage subscription filters on your log groups.

  1. Go to IAM Roles in the AWS Console
  2. Click Create role
  3. Select Custom trust policy and paste the following (Sazabi will provide the exact account ID and external ID in the dashboard):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SAZABI_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
  1. Click Next and create an inline policy with these permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeSubscriptionFilters",
        "logs:PutSubscriptionFilter",
        "logs:DeleteSubscriptionFilter"
      ],
      "Resource": "*"
    }
  ]
}
  1. Name the role (e.g., "SazabiCloudWatchAccess") and create it
  2. Copy the Role ARN for the next step

Step 2: Connect CloudWatch to Sazabi

  1. Log in to Sazabi and go to Settings > Data Sources
  2. Click Add Source and select AWS CloudWatch Logs
  3. Select IAM Role as the connection method
  4. Enter your Role ARN and the External ID shown in the dashboard
  5. Select the AWS region(s) containing your log groups
  6. Choose the log groups you want to forward
  7. Click Connect

Sazabi will create subscription filters on each selected log group automatically.

Each AWS log group can have a maximum of 2 subscription filters. If you already have 2 filters on a log group, you will need to remove one before Sazabi can create its filter.

Step 3: Verify logs are flowing

Generate some activity in your AWS environment:

  1. Invoke a Lambda function, or
  2. Make a request to an ECS/EC2 service that logs to CloudWatch

Then verify logs are arriving in Sazabi:

  1. Open a chat thread in Sazabi
  2. Ask: "Show me recent CloudWatch logs" or "What errors appeared in my Lambda logs in the last hour?"

You should see logs appear in Sazabi within 1-2 minutes.

Troubleshooting

If logs are not appearing:

  • Verify the IAM role has the correct trust policy and permissions
  • Check that the subscription filter was created: go to your log group in CloudWatch and look under Subscription filters
  • Confirm you triggered new activity after connecting (existing logs are not backfilled)
  • Use the IAM Policy Simulator to verify permissions

Next steps

Vercel Quickstart

Send your first Vercel logs to Sazabi in 5 minutes

Google Cloud Logging Quickstart

Send your first Google Cloud Logging entries to Sazabi in 5 minutes

On this page

AWS CloudWatch QuickstartPrerequisitesStep 1: Create an IAM role for SazabiStep 2: Connect CloudWatch to SazabiStep 3: Verify logs are flowingTroubleshootingNext steps