📢 Webinar Alert! Reliability Automation - AI, ML, & Workflows in Incident Management. Register Here
Blog
Cloud Computing
AWS CloudTrail vs CloudWatch: Features & Instructions

AWS CloudTrail vs CloudWatch: Features & Instructions

AWS CloudTrail vs CloudWatch: Features & Instructions
In This Article:
Our Products
On-Call Management
Incident Response
Continuous Learning
Workflow Automation

In today’s digital world, cloud computing is necessary for businesses of all types and sizes, and Amazon Web Services (AWS) is undoubtedly the most popular cloud computing service provider. AWS provides a vast array of services, including CloudWatch and CloudTrail, that can monitor and log events in AWS resources.

This article will compare AWS CloudWatch and CloudTrail, looking at their features, use cases, and technical considerations. It will also provide implementation guides and pricing details for each.

Summary comparison of AWS CloudTrail vs. AWS CloudWatch

AWS CloudTrail and AWS CloudWatch offer different functions and features and are designed for specific use cases.

Concept AWS CloudTrail AWS CloudWatch
Core Purposes AWS CloudTrail records all API activity within an AWS account to enhance security, ensure compliance, and aid in troubleshooting. Amazon CloudWatch is an AWS monitoring service that provides a comprehensive view of operational health.
Use Cases Compliance, security, providing a history of AWS infrastructure changes, governance, and forensics Monitoring, troubleshooting, capacity planning, and resource optimization
Logging CloudTrail events are logs of API activity within your AWS account, providing valuable data for audits, security analysis, and operational troubleshooting. CloudWatch Logs is an AWS service for the centralized storage, monitoring, and analysis of log files from AWS resources and applications, aiding in pattern detection, troubleshooting, and data archiving.
Storage and data processing CloudTrail records API calls and events in an AWS account, stores them in an S3 bucket for audit and security purposes, provides processing tools for data analysis and automation, retains data for up to 7 years, and delivers events within 15 minutes and log files to S3 every 5 minutes. CloudWatch collects and stores data from AWS resources and applications in a durable repository, processes it in real-time for visualizations and notifications, retains metrics for 15 months and logs for 2 years, and supports high-resolution data points with granularity adjusted based on the age of the requested data.
Query and analysis Using CloudTrail Insights, you can query AWS Lambda transactions by selecting the relevant log group, entering keywords like “Invoke” in the query editor, applying filters, executing complex queries with the query language, viewing results in a table or chart format, and scheduling the query to run regularly for continuous monitoring and analysis. CloudWatch allows querying and analysis of log data using labels and aggregations, which involves selecting a log group, entering search values in the query editor, adding labels as key-value pairs, performing complex queries using the CloudWatch Logs Insights query language, executing the query, and optionally saving and scheduling it for regular monitoring and analysis over time.
Pricing and Cost Considerations AWS CloudWatch and CloudTrail offer separate 12-month free tiers with costs based on metrics, logs, and storage use. Various factors come into play that affect the pricing, which depends on the particulars for each service.

Understanding the core purposes of AWS CloudWatch and AWS CloudTrail

Amazon CloudWatch is a monitoring service for AWS resources and the applications you run on Amazon Web Services. Its core purpose is to provide data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.

AWS CloudTrail is a service that provides event history for AWS resources. It records every API call made in your account, including who made the call, when, and from where. Its core purposes are security, compliance, and troubleshooting.

AWS CloudWatch features

  • Metrics: CloudWatch collects, stores, and analyzes performance data, called metrics, from AWS resources and applications. Metrics are time-ordered sets of data points that help you monitor the performance of your applications and infrastructure.
  • Alarms: CloudWatch allows you to create alarms based on metric thresholds. When a metric crosses a specified threshold, an alarm is triggered. You can configure actions, such as sending notifications or stopping instances, to be performed automatically when an alarm is triggered.
  • Logs: CloudWatch Logs enable you to centralize, store, and analyze log data from AWS resources and applications. You can also set up alarms for specific log patterns or use CloudWatch Logs Insights to search, analyze, and visualize your logs.
  • Events: CloudWatch Events is a service that delivers a near-real-time stream of events describing changes to your AWS resources. You can create rules to match specific events and take automated action in response to these events, using AWS Lambda functions, SNS notifications, or other AWS services.
  • Anomaly detection: This feature uses machine learning algorithms to identify unusual behavior that is reflected in your metrics. This information can let you proactively address potential issues before they impact your applications or infrastructure.
  • Custom dashboards: CloudWatch allows you to create custom dashboards to visualize your metrics and alarms. Dashboards can be personalized to display key performance indicators (KPIs) and operational health metrics for a specific set of resources or applications.

AWS CloudTrail features

  • Activity logging: CloudTrail records account activity by logging AWS Management Console sign-in events and API calls made in your AWS account. These logs can help you track user activity and resource changes for security analysis, compliance auditing, and operational troubleshooting.
  • Event history: CloudTrail retains API call history for the last 90 days, allowing you to access and search your recent account activity.
  • Multi-region support: CloudTrail can consolidate API activity logs from multiple AWS regions, providing a unified view of your account activity across all regions.
  • Data event logging: CloudTrail can capture API calls for Amazon S3 object-level operations and AWS Lambda function executions. This feature enables you to log access to specific resources for detailed analysis and auditing.
  • Integration with other AWS services: CloudTrail logs can be delivered to Amazon S3, Amazon CloudWatch Logs, and Amazon SNS for further analysis, alerting, and archiving. Integrating these services allows you to build custom workflows and automate responses to specific events in your AWS account.
  • Log file encryption: CloudTrail supports log file encryption using AWS Key Management Service (KMS) keys, ensuring that your log data is secure and accessible only to authorized users.
  • Log file validation: CloudTrail allows you to enable log file validation, ensuring your log files’ integrity and authenticity. With validation enabled, you can be confident that your log data has not been tampered with or altered.

AWS CloudTrail and AWS CloudWatch use cases

Amazon CloudWatch tracks metrics, log files, and alarms for cloud resources, applications, and custom metrics on AWS. It offers system-wide visibility into resource utilization, application performance, and operational health across Amazon EC2, DynamoDB, RDS, and more. With automatic dashboards featuring AWS best practices, you can easily explore metrics and alarms and identify the root cause of performance issues.

  • Event detection and response: CloudWatch can be used to detect and respond to events such as instance failures, auto-scaling actions, and application errors, through the use of alarms, notifications, and automated actions.
  • Application performance monitoring (APM): CloudWatch can be used for APM, including monitoring application performance, tracking custom metrics, and tracing application requests.
  • Custom metrics: CloudWatch can be used to track and visualize custom metrics. You can also export these metrics to third-party monitoring tools. As shown in the diagram below, you can add CloudWatch Alert Sources to Squadcast.
Adding AWS CloudWatch as an alert source in Squadcast (source)
  • Disaster recovery: CloudWatch can be used to monitor and ensure the availability and performance of disaster recovery resources such as backup and recovery servers.

Amazon CloudTrail is a web service that logs account activity and stores the files in an Amazon S3 bucket. It offers visibility into user actions by recording information such as the requester, services used, actions performed, parameters, and response elements. CloudTrail facilitates tracking resource changes, troubleshooting operational issues, and ensuring compliance with internal policies and regulatory standards.

  • Change management: CloudTrail can be used to track changes made to AWS resources over time. It provides a complete history of all the changes made to each resource.
  • Security and compliance: CloudTrail can be used for security and compliance monitoring, including monitoring for unauthorized access, security events, and compliance violations. It can be used to meet various compliance requirements, such as PCI, HIPAA, SOC, etc.
  • Governance and auditing: CloudTrail logs can be used for governance and auditing purposes, providing an audit trail of all the activities and changes made to the AWS resources.
  • Risk management: CloudTrail logs can be used to identify risks associated with AWS resources as well as misconfigurations and unauthorized access attempts.

Logging

In this section, we will dive into the AWS CloudWatch Logs service as well as some AWS CloudTrail events to see how each service works.

Amazon CloudWatch Logs

Amazon CloudWatch Logs enables you to monitor and troubleshoot systems and applications using existing log files, providing near-real-time analysis of specific phrases, values, or patterns. For instance, you can set alarms based on system log errors or visualize latency graphs from application logs. CloudWatch Logs stores the log data indefinitely in highly durable, cost-effective storage, eliminating concerns about hard drive capacity.

Users can leverage CloudWatch Logs for:

  • Real-time application and system monitoring: You can leverage log data to monitor applications and systems without any code changes. For example, you can track error occurrences in application logs and receive notifications when error rates surpass specified thresholds.
  • Long-term log retention: The CloudWatch Logs Agent seamlessly transfers rotated and non-rotated log files into the log service, granting access to raw log event data when needed.

CloudWatch Logs Agent is a software agent provided by AWS that can be installed on your servers to automatically collect, process, and transmit log data from your applications or system to Amazon CloudWatch Logs.

The CloudWatch Logs Agent is compatible with various operating systems, including Amazon Linux, Ubuntu, CentOS, Red Hat Enterprise Linux, and Windows.

Amazon CloudTrail events

When an event occurs in an account, CloudTrail evaluates whether the event matches the settings for the trails configured. Only events that match the trail settings are delivered to the Amazon S3 bucket and Amazon CloudWatch Logs log group.

Multiple trails can be configured differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events to deliver all read-only events to one S3 bucket. Another trail might log only write-only data and management events so that all write-only events are delivered to a separate S3 bucket.

You can also configure your trails to have one trail set up to log and deliver all management events to one S3 bucket and configure another trail to log and deliver all data events to another S3 bucket.

You can configure your trails to log the following types of events:

  • Data events: These events provide visibility into the resource operations performed on or within a resource. These are also known as data plane operations.
  • Management events: Management events provide visibility into management operations performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account. For example, when a user logs into your account, CloudTrail can log the ConsoleLogin event.
  • Insights events: Insights events capture unusual activity detected in your account. If you have Insights events enabled, and CloudTrail detects unusual activity, the Insights events are logged to the destination S3 bucket for your trail but in a different folder. You can also see the type of Insights event and the incident time period when you view Insights events on the CloudTrail console. Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns. Insights events are generated only for write management APIs.

Storage and data processing

Here’s how AWS CloudWatch and AWS CloudTrail process and store data.

CloudWatch CloudTrail
Collection CloudWatch collects data from various sources, including AWS resources such as EC2 instances, RDS databases, and Lambda functions, as well as custom metrics and logs from applications. CloudTrail captures API calls and management events made within an AWS account, including events generated by AWS services, the AWS Management Console, the AWS Command Line Interface (CLI), and AWS SDKs.
Storage CloudWatch stores collected data in its own metrics repository, AWS CloudWatch Logs, which is an AWS-managed service. The metrics repository is optimized for high availability and durability, with multiple copies of data stored across multiple Availability Zones to ensure data reliability. CloudTrail stores the collected data in an Amazon S3 bucket, which can be used for auditing, security analysis, and compliance purposes. The data is stored in a format optimized for search and retrieval.
Processing CloudWatch processes the collected data in real-time, using various algorithms to aggregate, analyze, and visualize it. This enables customers to create custom dashboards, set alarms and notifications, and perform root cause analysis. CloudTrail provides various tools for processing the collected data, including AWS Lambda functions, AWS Glue jobs, and Amazon Athena queries. Customers can use these tools to extract specific data, perform analysis, and automate tasks.
Retention CloudWatch retains metrics data for up to 15 months, allowing customers to perform historical analysis and track long-term trends. Log data retention can be configured for up to two years. CloudTrail retains event data for up to 90 days by default, but customers can configure the retention period to be longer: up to seven years.
Delivery CloudWatch supports high-resolution, one-second data points and one-minute granularity for metrics storage. Metrics may be received at varying intervals, such as three or five minutes. If not specified as high-resolution, metrics default to one-minute resolution. Data availability depends on the age of the requested data and retention schedules. For instance, requesting one-minute data from 10 days ago yields 1,440 data points, while a request from five months ago auto-adjusts to one-hour granularity with no GetMetricStatistics API output. Typically, CloudTrail delivers an event within 15 minutes of the API call. CloudTrail delivers log files to the S3 bucket approximately every five minutes. CloudTrail does not deliver log files if no API calls are made on your account. Additionally, Simple Notification Service (SNS) can be used with CloudTrail to send notifications whenever a new log file gets delivered.

Query and analysis

Querying and analyzing data from CloudWatch and CloudTrail can provide valuable insights into the behavior of your AWS environment, helping you identify issues, optimize performance, and ensure compliance. Note that AWS CloudWatch Logs and AWS CloudTrail both deal with logging, but they are used for different purposes and log different types of information.

Let’s explore some of the tools and techniques available for querying and analyzing data from CloudWatch and CloudTrail.

AWS CloudWatch

To query and analyze data using labels and aggregations from AWS CloudWatch, follow these steps:

  1. Log into the AWS Management Console and navigate to the CloudWatch dashboard.
  2. Click on the “Logs” section in the left-hand navigation menu.
  3. Select the log group that you want to query.
  4. Click the “Search Log Group” button to open the query editor.
  5. In the query editor, enter the keywords or values you want to search for in the log data.
  6. You can also use labels to help organize and filter your log data. Labels are key-value pairs that can be added to log data to provide additional context and allow for more efficient querying.
  7. To add a label to your log data, include it as a key-value pair in the log message. For example, you could include a label called “environment” with a value of “production” to indicate that the log message is related to a production environment.
  8. In the query editor, enter a query. For example, you could use the following query to aggregate log data by the “environment” label:
{ PropertySelector EqualityOperator String }
{ $.environment = "production" }
  1. You can also use the CloudWatch Logs Insights query language to perform more complex queries and aggregations. For example, you could use the following query to aggregate log data by both the “environment” and “service” labels:
fields @timestamp, @message
| filter environment = 'production'
| filter service = 'web'
| stats count() by environment, service

This query will return a table showing the number of log messages for each combination of environment and service label values.

  1. Once you have entered your query, click the “Run query” button to execute it.
  2. The query results will be displayed in the query editor. You can view the results as a table or as a chart.
  3. You can also save your query and schedule it to run regularly so that you can monitor and analyze your log data over time.

AWS CloudTrail

For example, to query for AWS Lambda transactions using AWS CloudTrail, you can use the CloudTrail Insights feature. CloudTrail Insights allows you to search and analyze your CloudTrail log data to identify security and operational trends and anomalies.

Here are the steps to query for AWS Lambda transactions using AWS CloudTrail Insights:

  1. Log into the AWS Management Console and navigate to the CloudTrail dashboard.
  2. Click on the “Insights” section in the left-hand navigation menu.
  3. Click the “Create Insights query” button.
  4. In the query editor, select the CloudTrail log group that contains the AWS Lambda logs you want to search.
  5. Enter the keywords or values that you want to search for in the log data. For example, you could search for the “Invoke” action, which is used to invoke a Lambda function.
  6. Use the filter options to narrow down the results based on specific criteria, such as user identity, event time, or region.
  7. You can also use the CloudTrail Insights query language to perform more complex queries and aggregations. For example, you could use the following query to search for all invocations of a specific Lambda function:
fields eventTime, eventName, awsRegion, sourceIPAddress
| filter (eventName = 'Invoke' AND requestParameters.functionName = 'my-lambda-function')
  1. Once you have entered your query, click the “Run query” button to execute it.
  2. The query results will be displayed in the query editor. You can view the results as a table or as a chart.
  3. You can also save your query and schedule it to run regularly so that you can monitor and analyze your AWS Lambda logs over time. Similarly, the process above can be done for any other AWS service.

Implementation examples

In this section, we will walk through instructions for creating a CloudWatch alarm and creating a trail using AWS CLI and AWS Console. For other approaches, such as using boto3, it is always best to refer to the official AWS documentation.

Creating a CloudWatch alarm

Shown below is an example of creating a CloudWatch alarm using the AWS CLI:

aws cloudwatch put-metric-alarm --alarm-name CPU_Utilization --alarm-description "Alarm when CPU utilization exceeds 85%" --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 85 --comparison-operator GreaterThanThreshold --dimensions "Name=InstanceId,Value=i-01234567890" --evaluation-periods 1 --alarm-actions arn:aws:sns:us-west-2:123456789012:SomeTopic --unit Percent

This command creates an alarm that triggers when the CPU utilization of an EC2 instance with the instance ID “i-01234567890” exceeds 85%.

To create a CloudWatch dashboard using the AWS Management Console, follow these steps:

  1. Navigate to the CloudWatch dashboard in the AWS Management Console.
  2. Click on “Create dashboard.”
  3. Select the metrics you want to display on the dashboard.
  4. Customize the layout and appearance of the dashboard.
  5. Save the dashboard.
CloudWatch homepage with various dashboards

Creating a trail using AWS CloudTrail

To create a CloudTrail trail using the AWS Management Console, follow the steps below:

  1. Navigate to the CloudTrail dashboard in the AWS Management Console.
  2. Click on “Create trail.”
  3. Enter a name for the trail, and select the S3 bucket where the logs will be stored, as shown in the figures below.
  1. Enable CloudWatch Logs, if desired.
  1. Select the log events described in the Logging > Amazon CloudTrail events section of this article. The following is a sample figure:
  1. Save the trail.

Here is an example of how to retrieve CloudTrail logs using the AWS CLI:

aws s3api get-object --bucket aws-cloudtrail-logs-08132020-my-trail --key CloudTrail/AWSLogs/123456789012/CloudTrail/us-east-1/2023/03/27/123456789012_CloudTrail_us-east-1_20200327T0000Z_rndDZT1TtMyLlOoA.json --region us-east-1

Pricing and cost considerations

Both AWS CloudWatch and AWS CloudTrail have offerings in the AWS free tier, and the free tiers are separate and independent, each lasting 12 months. This allows customers to use both services without charge during their first year, subject to the respective free tier limits.

AWS CloudWatch

AWS CloudWatch pricing is based on the number of metrics and logs ingested, stored, and analyzed. The pricing structure can be complicated, but the basic pricing for CloudWatch is as follows:

  • Metrics: $0.30 for the first 10,000 metrics
  • Alarms: $0.10 per alarm metric
  • Logs:
    • Collect (data ingestion): $0.50 per GB
    • Store (archival): $0.03 per GB
    • Analyze (Logs Insights queries): $0.005 per GB of data scanned

AWS CloudTrail

AWS CloudTrail pricing is based on the number of events logged and the S3 storage used to store the logs. The introductory pricing for CloudTrail is as follows:

  • Ingest and store: $2.50 per GB (for the first 5 TB), which includes seven years of storage.
  • Analyze stored logs: $0.005 per GB of data scanned

It’s important to note that CloudTrail logs can quickly accumulate and thus require significant storage space, so it’s important to regularly review and manage the logs to keep costs under control.

Conclusion

AWS CloudWatch and AWS CloudTrail are indispensable tools for effectively managing and monitoring your AWS infrastructure. In this comparison of Cloudwatch vs Cloudtrail, we see that while CloudWatch excels at providing real-time performance monitoring, alerting, and troubleshooting for your AWS resources, CloudTrail focuses on recording and analyzing API activity, enabling enhanced security and compliance.

Written By:
Squadcast Community
Vishal Padghan
Squadcast Community
Vishal Padghan
June 9, 2023
Cloud Computing
Share this blog:
In This Article:
Get reliability insights delivered straight to your inbox.
Get ready for the good stuff! No spam, no data sale and no promotion. Just the awesome content you signed up for.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
If you wish to unsubscribe, we won't hold it against you. Privacy policy.
Get reliability insights delivered straight to your inbox.
Get ready for the good stuff! No spam, no data sale and no promotion. Just the awesome content you signed up for.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
If you wish to unsubscribe, we won't hold it against you. Privacy policy.
Get the latest scoop on Reliability insights. Delivered straight to your inbox.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
If you wish to unsubscribe, we won't hold it against you. Privacy policy.
Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Mid-Market IT Service Management (ITSM) Tools on G2 Squadcast is a leader in Americas IT Alerting on G2 Best IT Management Products 2024 Squadcast is a leader in Europe IT Alerting on G2 Squadcast is a leader in Enterprise Incident Management on G2 Users love Squadcast on G2
Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Mid-Market IT Service Management (ITSM) Tools on G2 Squadcast is a leader in Americas IT Alerting on G2 Best IT Management Products 2024 Squadcast is a leader in Europe IT Alerting on G2 Squadcast is a leader in Enterprise Incident Management on G2 Users love Squadcast on G2
Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Mid-Market IT Service Management (ITSM) Tools on G2 Squadcast is a leader in Americas IT Alerting on G2
Best IT Management Products 2024 Squadcast is a leader in Europe IT Alerting on G2 Squadcast is a leader in Enterprise Incident Management on G2
Users love Squadcast on G2
Copyright © Squadcast Inc. 2017-2024

AWS CloudTrail vs CloudWatch: Features & Instructions

Jun 9, 2023
Last Updated:
November 20, 2024
Share this post:
AWS CloudTrail vs CloudWatch: Features & Instructions
Table of Contents:

    In today’s digital world, cloud computing is necessary for businesses of all types and sizes, and Amazon Web Services (AWS) is undoubtedly the most popular cloud computing service provider. AWS provides a vast array of services, including CloudWatch and CloudTrail, that can monitor and log events in AWS resources.

    This article will compare AWS CloudWatch and CloudTrail, looking at their features, use cases, and technical considerations. It will also provide implementation guides and pricing details for each.

    Summary comparison of AWS CloudTrail vs. AWS CloudWatch

    AWS CloudTrail and AWS CloudWatch offer different functions and features and are designed for specific use cases.

    Concept AWS CloudTrail AWS CloudWatch
    Core Purposes AWS CloudTrail records all API activity within an AWS account to enhance security, ensure compliance, and aid in troubleshooting. Amazon CloudWatch is an AWS monitoring service that provides a comprehensive view of operational health.
    Use Cases Compliance, security, providing a history of AWS infrastructure changes, governance, and forensics Monitoring, troubleshooting, capacity planning, and resource optimization
    Logging CloudTrail events are logs of API activity within your AWS account, providing valuable data for audits, security analysis, and operational troubleshooting. CloudWatch Logs is an AWS service for the centralized storage, monitoring, and analysis of log files from AWS resources and applications, aiding in pattern detection, troubleshooting, and data archiving.
    Storage and data processing CloudTrail records API calls and events in an AWS account, stores them in an S3 bucket for audit and security purposes, provides processing tools for data analysis and automation, retains data for up to 7 years, and delivers events within 15 minutes and log files to S3 every 5 minutes. CloudWatch collects and stores data from AWS resources and applications in a durable repository, processes it in real-time for visualizations and notifications, retains metrics for 15 months and logs for 2 years, and supports high-resolution data points with granularity adjusted based on the age of the requested data.
    Query and analysis Using CloudTrail Insights, you can query AWS Lambda transactions by selecting the relevant log group, entering keywords like “Invoke” in the query editor, applying filters, executing complex queries with the query language, viewing results in a table or chart format, and scheduling the query to run regularly for continuous monitoring and analysis. CloudWatch allows querying and analysis of log data using labels and aggregations, which involves selecting a log group, entering search values in the query editor, adding labels as key-value pairs, performing complex queries using the CloudWatch Logs Insights query language, executing the query, and optionally saving and scheduling it for regular monitoring and analysis over time.
    Pricing and Cost Considerations AWS CloudWatch and CloudTrail offer separate 12-month free tiers with costs based on metrics, logs, and storage use. Various factors come into play that affect the pricing, which depends on the particulars for each service.

    Understanding the core purposes of AWS CloudWatch and AWS CloudTrail

    Amazon CloudWatch is a monitoring service for AWS resources and the applications you run on Amazon Web Services. Its core purpose is to provide data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.

    AWS CloudTrail is a service that provides event history for AWS resources. It records every API call made in your account, including who made the call, when, and from where. Its core purposes are security, compliance, and troubleshooting.

    AWS CloudWatch features

    • Metrics: CloudWatch collects, stores, and analyzes performance data, called metrics, from AWS resources and applications. Metrics are time-ordered sets of data points that help you monitor the performance of your applications and infrastructure.
    • Alarms: CloudWatch allows you to create alarms based on metric thresholds. When a metric crosses a specified threshold, an alarm is triggered. You can configure actions, such as sending notifications or stopping instances, to be performed automatically when an alarm is triggered.
    • Logs: CloudWatch Logs enable you to centralize, store, and analyze log data from AWS resources and applications. You can also set up alarms for specific log patterns or use CloudWatch Logs Insights to search, analyze, and visualize your logs.
    • Events: CloudWatch Events is a service that delivers a near-real-time stream of events describing changes to your AWS resources. You can create rules to match specific events and take automated action in response to these events, using AWS Lambda functions, SNS notifications, or other AWS services.
    • Anomaly detection: This feature uses machine learning algorithms to identify unusual behavior that is reflected in your metrics. This information can let you proactively address potential issues before they impact your applications or infrastructure.
    • Custom dashboards: CloudWatch allows you to create custom dashboards to visualize your metrics and alarms. Dashboards can be personalized to display key performance indicators (KPIs) and operational health metrics for a specific set of resources or applications.

    AWS CloudTrail features

    • Activity logging: CloudTrail records account activity by logging AWS Management Console sign-in events and API calls made in your AWS account. These logs can help you track user activity and resource changes for security analysis, compliance auditing, and operational troubleshooting.
    • Event history: CloudTrail retains API call history for the last 90 days, allowing you to access and search your recent account activity.
    • Multi-region support: CloudTrail can consolidate API activity logs from multiple AWS regions, providing a unified view of your account activity across all regions.
    • Data event logging: CloudTrail can capture API calls for Amazon S3 object-level operations and AWS Lambda function executions. This feature enables you to log access to specific resources for detailed analysis and auditing.
    • Integration with other AWS services: CloudTrail logs can be delivered to Amazon S3, Amazon CloudWatch Logs, and Amazon SNS for further analysis, alerting, and archiving. Integrating these services allows you to build custom workflows and automate responses to specific events in your AWS account.
    • Log file encryption: CloudTrail supports log file encryption using AWS Key Management Service (KMS) keys, ensuring that your log data is secure and accessible only to authorized users.
    • Log file validation: CloudTrail allows you to enable log file validation, ensuring your log files’ integrity and authenticity. With validation enabled, you can be confident that your log data has not been tampered with or altered.

    AWS CloudTrail and AWS CloudWatch use cases

    Amazon CloudWatch tracks metrics, log files, and alarms for cloud resources, applications, and custom metrics on AWS. It offers system-wide visibility into resource utilization, application performance, and operational health across Amazon EC2, DynamoDB, RDS, and more. With automatic dashboards featuring AWS best practices, you can easily explore metrics and alarms and identify the root cause of performance issues.

    • Event detection and response: CloudWatch can be used to detect and respond to events such as instance failures, auto-scaling actions, and application errors, through the use of alarms, notifications, and automated actions.
    • Application performance monitoring (APM): CloudWatch can be used for APM, including monitoring application performance, tracking custom metrics, and tracing application requests.
    • Custom metrics: CloudWatch can be used to track and visualize custom metrics. You can also export these metrics to third-party monitoring tools. As shown in the diagram below, you can add CloudWatch Alert Sources to Squadcast.
    Adding AWS CloudWatch as an alert source in Squadcast (source)
    • Disaster recovery: CloudWatch can be used to monitor and ensure the availability and performance of disaster recovery resources such as backup and recovery servers.

    Amazon CloudTrail is a web service that logs account activity and stores the files in an Amazon S3 bucket. It offers visibility into user actions by recording information such as the requester, services used, actions performed, parameters, and response elements. CloudTrail facilitates tracking resource changes, troubleshooting operational issues, and ensuring compliance with internal policies and regulatory standards.

    • Change management: CloudTrail can be used to track changes made to AWS resources over time. It provides a complete history of all the changes made to each resource.
    • Security and compliance: CloudTrail can be used for security and compliance monitoring, including monitoring for unauthorized access, security events, and compliance violations. It can be used to meet various compliance requirements, such as PCI, HIPAA, SOC, etc.
    • Governance and auditing: CloudTrail logs can be used for governance and auditing purposes, providing an audit trail of all the activities and changes made to the AWS resources.
    • Risk management: CloudTrail logs can be used to identify risks associated with AWS resources as well as misconfigurations and unauthorized access attempts.

    Logging

    In this section, we will dive into the AWS CloudWatch Logs service as well as some AWS CloudTrail events to see how each service works.

    Amazon CloudWatch Logs

    Amazon CloudWatch Logs enables you to monitor and troubleshoot systems and applications using existing log files, providing near-real-time analysis of specific phrases, values, or patterns. For instance, you can set alarms based on system log errors or visualize latency graphs from application logs. CloudWatch Logs stores the log data indefinitely in highly durable, cost-effective storage, eliminating concerns about hard drive capacity.

    Users can leverage CloudWatch Logs for:

    • Real-time application and system monitoring: You can leverage log data to monitor applications and systems without any code changes. For example, you can track error occurrences in application logs and receive notifications when error rates surpass specified thresholds.
    • Long-term log retention: The CloudWatch Logs Agent seamlessly transfers rotated and non-rotated log files into the log service, granting access to raw log event data when needed.

    CloudWatch Logs Agent is a software agent provided by AWS that can be installed on your servers to automatically collect, process, and transmit log data from your applications or system to Amazon CloudWatch Logs.

    The CloudWatch Logs Agent is compatible with various operating systems, including Amazon Linux, Ubuntu, CentOS, Red Hat Enterprise Linux, and Windows.

    Amazon CloudTrail events

    When an event occurs in an account, CloudTrail evaluates whether the event matches the settings for the trails configured. Only events that match the trail settings are delivered to the Amazon S3 bucket and Amazon CloudWatch Logs log group.

    Multiple trails can be configured differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events to deliver all read-only events to one S3 bucket. Another trail might log only write-only data and management events so that all write-only events are delivered to a separate S3 bucket.

    You can also configure your trails to have one trail set up to log and deliver all management events to one S3 bucket and configure another trail to log and deliver all data events to another S3 bucket.

    You can configure your trails to log the following types of events:

    • Data events: These events provide visibility into the resource operations performed on or within a resource. These are also known as data plane operations.
    • Management events: Management events provide visibility into management operations performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account. For example, when a user logs into your account, CloudTrail can log the ConsoleLogin event.
    • Insights events: Insights events capture unusual activity detected in your account. If you have Insights events enabled, and CloudTrail detects unusual activity, the Insights events are logged to the destination S3 bucket for your trail but in a different folder. You can also see the type of Insights event and the incident time period when you view Insights events on the CloudTrail console. Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns. Insights events are generated only for write management APIs.

    Storage and data processing

    Here’s how AWS CloudWatch and AWS CloudTrail process and store data.

    CloudWatch CloudTrail
    Collection CloudWatch collects data from various sources, including AWS resources such as EC2 instances, RDS databases, and Lambda functions, as well as custom metrics and logs from applications. CloudTrail captures API calls and management events made within an AWS account, including events generated by AWS services, the AWS Management Console, the AWS Command Line Interface (CLI), and AWS SDKs.
    Storage CloudWatch stores collected data in its own metrics repository, AWS CloudWatch Logs, which is an AWS-managed service. The metrics repository is optimized for high availability and durability, with multiple copies of data stored across multiple Availability Zones to ensure data reliability. CloudTrail stores the collected data in an Amazon S3 bucket, which can be used for auditing, security analysis, and compliance purposes. The data is stored in a format optimized for search and retrieval.
    Processing CloudWatch processes the collected data in real-time, using various algorithms to aggregate, analyze, and visualize it. This enables customers to create custom dashboards, set alarms and notifications, and perform root cause analysis. CloudTrail provides various tools for processing the collected data, including AWS Lambda functions, AWS Glue jobs, and Amazon Athena queries. Customers can use these tools to extract specific data, perform analysis, and automate tasks.
    Retention CloudWatch retains metrics data for up to 15 months, allowing customers to perform historical analysis and track long-term trends. Log data retention can be configured for up to two years. CloudTrail retains event data for up to 90 days by default, but customers can configure the retention period to be longer: up to seven years.
    Delivery CloudWatch supports high-resolution, one-second data points and one-minute granularity for metrics storage. Metrics may be received at varying intervals, such as three or five minutes. If not specified as high-resolution, metrics default to one-minute resolution. Data availability depends on the age of the requested data and retention schedules. For instance, requesting one-minute data from 10 days ago yields 1,440 data points, while a request from five months ago auto-adjusts to one-hour granularity with no GetMetricStatistics API output. Typically, CloudTrail delivers an event within 15 minutes of the API call. CloudTrail delivers log files to the S3 bucket approximately every five minutes. CloudTrail does not deliver log files if no API calls are made on your account. Additionally, Simple Notification Service (SNS) can be used with CloudTrail to send notifications whenever a new log file gets delivered.

    Query and analysis

    Querying and analyzing data from CloudWatch and CloudTrail can provide valuable insights into the behavior of your AWS environment, helping you identify issues, optimize performance, and ensure compliance. Note that AWS CloudWatch Logs and AWS CloudTrail both deal with logging, but they are used for different purposes and log different types of information.

    Let’s explore some of the tools and techniques available for querying and analyzing data from CloudWatch and CloudTrail.

    AWS CloudWatch

    To query and analyze data using labels and aggregations from AWS CloudWatch, follow these steps:

    1. Log into the AWS Management Console and navigate to the CloudWatch dashboard.
    2. Click on the “Logs” section in the left-hand navigation menu.
    3. Select the log group that you want to query.
    4. Click the “Search Log Group” button to open the query editor.
    5. In the query editor, enter the keywords or values you want to search for in the log data.
    6. You can also use labels to help organize and filter your log data. Labels are key-value pairs that can be added to log data to provide additional context and allow for more efficient querying.
    7. To add a label to your log data, include it as a key-value pair in the log message. For example, you could include a label called “environment” with a value of “production” to indicate that the log message is related to a production environment.
    8. In the query editor, enter a query. For example, you could use the following query to aggregate log data by the “environment” label:
    { PropertySelector EqualityOperator String }
    { $.environment = "production" }
    1. You can also use the CloudWatch Logs Insights query language to perform more complex queries and aggregations. For example, you could use the following query to aggregate log data by both the “environment” and “service” labels:
    fields @timestamp, @message
    | filter environment = 'production'
    | filter service = 'web'
    | stats count() by environment, service

    This query will return a table showing the number of log messages for each combination of environment and service label values.

    1. Once you have entered your query, click the “Run query” button to execute it.
    2. The query results will be displayed in the query editor. You can view the results as a table or as a chart.
    3. You can also save your query and schedule it to run regularly so that you can monitor and analyze your log data over time.

    AWS CloudTrail

    For example, to query for AWS Lambda transactions using AWS CloudTrail, you can use the CloudTrail Insights feature. CloudTrail Insights allows you to search and analyze your CloudTrail log data to identify security and operational trends and anomalies.

    Here are the steps to query for AWS Lambda transactions using AWS CloudTrail Insights:

    1. Log into the AWS Management Console and navigate to the CloudTrail dashboard.
    2. Click on the “Insights” section in the left-hand navigation menu.
    3. Click the “Create Insights query” button.
    4. In the query editor, select the CloudTrail log group that contains the AWS Lambda logs you want to search.
    5. Enter the keywords or values that you want to search for in the log data. For example, you could search for the “Invoke” action, which is used to invoke a Lambda function.
    6. Use the filter options to narrow down the results based on specific criteria, such as user identity, event time, or region.
    7. You can also use the CloudTrail Insights query language to perform more complex queries and aggregations. For example, you could use the following query to search for all invocations of a specific Lambda function:
    fields eventTime, eventName, awsRegion, sourceIPAddress
    | filter (eventName = 'Invoke' AND requestParameters.functionName = 'my-lambda-function')
    1. Once you have entered your query, click the “Run query” button to execute it.
    2. The query results will be displayed in the query editor. You can view the results as a table or as a chart.
    3. You can also save your query and schedule it to run regularly so that you can monitor and analyze your AWS Lambda logs over time. Similarly, the process above can be done for any other AWS service.

    Implementation examples

    In this section, we will walk through instructions for creating a CloudWatch alarm and creating a trail using AWS CLI and AWS Console. For other approaches, such as using boto3, it is always best to refer to the official AWS documentation.

    Creating a CloudWatch alarm

    Shown below is an example of creating a CloudWatch alarm using the AWS CLI:

    aws cloudwatch put-metric-alarm --alarm-name CPU_Utilization --alarm-description "Alarm when CPU utilization exceeds 85%" --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 85 --comparison-operator GreaterThanThreshold --dimensions "Name=InstanceId,Value=i-01234567890" --evaluation-periods 1 --alarm-actions arn:aws:sns:us-west-2:123456789012:SomeTopic --unit Percent

    This command creates an alarm that triggers when the CPU utilization of an EC2 instance with the instance ID “i-01234567890” exceeds 85%.

    To create a CloudWatch dashboard using the AWS Management Console, follow these steps:

    1. Navigate to the CloudWatch dashboard in the AWS Management Console.
    2. Click on “Create dashboard.”
    3. Select the metrics you want to display on the dashboard.
    4. Customize the layout and appearance of the dashboard.
    5. Save the dashboard.
    CloudWatch homepage with various dashboards

    Creating a trail using AWS CloudTrail

    To create a CloudTrail trail using the AWS Management Console, follow the steps below:

    1. Navigate to the CloudTrail dashboard in the AWS Management Console.
    2. Click on “Create trail.”
    3. Enter a name for the trail, and select the S3 bucket where the logs will be stored, as shown in the figures below.
    1. Enable CloudWatch Logs, if desired.
    1. Select the log events described in the Logging > Amazon CloudTrail events section of this article. The following is a sample figure:
    1. Save the trail.

    Here is an example of how to retrieve CloudTrail logs using the AWS CLI:

    aws s3api get-object --bucket aws-cloudtrail-logs-08132020-my-trail --key CloudTrail/AWSLogs/123456789012/CloudTrail/us-east-1/2023/03/27/123456789012_CloudTrail_us-east-1_20200327T0000Z_rndDZT1TtMyLlOoA.json --region us-east-1
    

    Pricing and cost considerations

    Both AWS CloudWatch and AWS CloudTrail have offerings in the AWS free tier, and the free tiers are separate and independent, each lasting 12 months. This allows customers to use both services without charge during their first year, subject to the respective free tier limits.

    AWS CloudWatch

    AWS CloudWatch pricing is based on the number of metrics and logs ingested, stored, and analyzed. The pricing structure can be complicated, but the basic pricing for CloudWatch is as follows:

    • Metrics: $0.30 for the first 10,000 metrics
    • Alarms: $0.10 per alarm metric
    • Logs:
      • Collect (data ingestion): $0.50 per GB
      • Store (archival): $0.03 per GB
      • Analyze (Logs Insights queries): $0.005 per GB of data scanned

    AWS CloudTrail

    AWS CloudTrail pricing is based on the number of events logged and the S3 storage used to store the logs. The introductory pricing for CloudTrail is as follows:

    • Ingest and store: $2.50 per GB (for the first 5 TB), which includes seven years of storage.
    • Analyze stored logs: $0.005 per GB of data scanned

    It’s important to note that CloudTrail logs can quickly accumulate and thus require significant storage space, so it’s important to regularly review and manage the logs to keep costs under control.

    Conclusion

    AWS CloudWatch and AWS CloudTrail are indispensable tools for effectively managing and monitoring your AWS infrastructure. In this comparison of Cloudwatch vs Cloudtrail, we see that while CloudWatch excels at providing real-time performance monitoring, alerting, and troubleshooting for your AWS resources, CloudTrail focuses on recording and analyzing API activity, enabling enhanced security and compliance.

    What you should do now
    • Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.
    • Curious about how Squadcast can assist you in implementing SRE best practices? Discover the platform's capabilities through our Interactive Demo.
    • Enjoyed the article? Explore further insights on the best SRE practices.
    • Schedule a demo with Squadcast to learn about the platform, answer your questions, and evaluate if Squadcast is the right fit for you.
    • Curious about how Squadcast can assist you in implementing SRE best practices? Discover the platform's capabilities through our Interactive Demo.
    • Enjoyed the article? Explore further insights on the best SRE practices.
    • Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
    • See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management.
    • Share this blog post with someone you think will find it useful. Share it on Facebook, Twitter, LinkedIn or Reddit
    • Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
    • See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management
    • Share this blog post with someone you think will find it useful. Share it on Facebook, Twitter, LinkedIn or Reddit
    • Get a walkthrough of our platform through this Interactive Demo and see how it can solve your specific challenges.
    • See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management
    • Share this blog post with someone you think will find it useful. Share it on Facebook, Twitter, LinkedIn or Reddit
    What you should do now?
    Here are 3 ways you can continue your journey to learn more about Unified Incident Management
    Discover the platform's capabilities through our Interactive Demo.
    See how Charter Leveraged Squadcast to Drive Client Success With Robust Incident Management.
    Share the article
    Share this blog post on Facebook, Twitter, Reddit or LinkedIn.
    We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.
    Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.
    Compare our plans and find the perfect fit for your business.
    See Redis' Journey to Efficient Incident Management through alert noise reduction With Squadcast.
    Discover the platform's capabilities through our Interactive Demo.
    We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.
    Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.
    Compare Squadcast & PagerDuty / Opsgenie
    Compare and see if Squadcast is the right fit for your needs.
    Compare our plans and find the perfect fit for your business.
    Learn how Scoro created a solid foundation for better on-call practices with Squadcast.
    Discover the platform's capabilities through our Interactive Demo.
    We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.
    Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.
    We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.
    Learn how Scoro created a solid foundation for better on-call practices with Squadcast.
    We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.
    Discover the platform's capabilities through our Interactive Demo.
    Enjoyed the article? Explore further insights on the best SRE practices.
    We’ll show you how Squadcast works and help you figure out if Squadcast is the right fit for you.
    Experience the benefits of Squadcast's Incident Management and On-Call solutions firsthand.
    Enjoyed the article? Explore further insights on the best SRE practices.
    Share this post:
    Subscribe to our LinkedIn Newsletter to receive more educational content
    Subscribe now
    ant-design-linkedIN

    Subscribe to our latest updates

    Enter your Email Id
    Thank you! Your submission has been received!
    Oops! Something went wrong while submitting the form.
    FAQs
    More from
    Squadcast Community
    Incident Management Beyond Alerting: Utilizing Data & Automation for Continuous Improvement
    Incident Management Beyond Alerting: Utilizing Data & Automation for Continuous Improvement
    December 20, 2024
    Lessons from the Aftermath: Postmortems vs. Retrospectives and Their Significance
    Lessons from the Aftermath: Postmortems vs. Retrospectives and Their Significance
    December 19, 2024
    The Power of Incident Timelines in Crisis Management
    The Power of Incident Timelines in Crisis Management
    December 13, 2024
    Learn how organizations are using Squadcast
    to maintain and improve upon their Reliability metrics
    Learn how organizations are using Squadcast to maintain and improve upon their Reliability metrics
    mapgears
    "Mapgears simplified their complex On-call Alerting process with Squadcast.
    Squadcast has helped us aggregate alerts coming in from hundreds...
    bibam
    "Bibam found their best PagerDuty alternative in Squadcast.
    By moving to Squadcast from Pagerduty, we have seen a serious reduction in alert fatigue, allowing us to focus...
    tanner
    "Squadcast helped Tanner gain system insights and boost team productivity.
    Squadcast has integrated seamlessly into our DevOps and on-call team's workflows. Thanks to their reliability...
    Alexandre Lessard
    System Analyst
    Martin do Santos
    Platform and Architecture Tech Lead
    Sandro Franchi
    CTO
    Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Mid-Market IT Service Management (ITSM) Tools on G2 Squadcast is a leader in Americas IT Alerting on G2 Best IT Management Products 2022 Squadcast is a leader in Europe IT Alerting on G2 Squadcast is a leader in Mid-Market Asia Pacific Incident Management on G2 Users love Squadcast on G2
    Squadcast awarded as "Best Software" in the IT Management category by G2 🎉 Read full report here.
    What our
    customers
    have to say
    mapgears
    "Mapgears simplified their complex On-call Alerting process with Squadcast.
    Squadcast has helped us aggregate alerts coming in from hundreds of services into one single platform. We no longer have hundreds of...
    Alexandre Lessard
    System Analyst
    bibam
    "Bibam found their best PagerDuty alternative in Squadcast.
    By moving to Squadcast from Pagerduty, we have seen a serious reduction in alert fatigue, allowing us to focus...
    Martin do Santos
    Platform and Architecture Tech Lead
    tanner
    "Squadcast helped Tanner gain system insights and boost team productivity.
    Squadcast has integrated seamlessly into our DevOps and on-call team's workflows. Thanks to their reliability metrics we have...
    Sandro Franchi
    CTO
    Revamp your Incident Response.
    Peak Reliability
    Easier, Faster, More Automated with SRE.