How do I troubleshoot missing CloudWatch logs for API Gateway REST APIs?

Short description

When you set up CloudWatch logging for REST APIs in API Gateway, you can use execution logging and access logging. API Gateway doesn't log all client-side errors that it rejects into execution logs. For example, if a client makes an API request to an incorrect resource path of your REST API, then the client receives the following response: "403 Missing Authentication Token". API Gateway doesn't log this type of response into execution logs. To troubleshoot client-side errors, use CloudWatch access logging.

API Gateway might not generate logs for the following errors or reasons:

• "413 Request Entity Too Large" errors
• "431 Request Header Fields Too Large" errors
• "Excessive 429 Too Many Requests" errors
• 400 series errors that occur because the client sent requests to a custom domain without API mapping
• 500 series errors that occur because of internal failures
• The stage name is incorrect

Note: Execution logs won't generate if the resource path doesn't exist or the method doesn't exist.

For more information, see Monitor REST APIs in API Gateway.

Resolution

Verify API Gateway permissions for CloudWatch Logs

To activate CloudWatch Logs, you must grant API Gateway permission to read and write logs to CloudWatch for your AWS account.

First, create an AWS Identity and Access Management (IAM) role with apigateway.amazonaws.com as the trusted entity. Then, attach the AmazonAPIGatewayPushToCloudWatchLogs AWS managed policy to the role. Set the role Amazon Resource Name (ARN) to the cloudwatchRoleArn for your account.

Example policy:

{      "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

Note: Make sure that you activate the AWS Security Token Service (AWS STS) for your AWS Region. Also, confirm that you activated the IAM role for all Regions where you want to activate CloudWatch Logs.

For more information, see Activating and deactivating AWS STS in an AWS Region and Permissions for CloudWatch logging.

Verify API Gateway logging settings

Verify that you correctly set up the CloudWatch execution or access logging settings for API Gateway.

Note: You can activate execution logging and access logging independently of each other.

Complete the following steps:

1. Open the API Gateway console.
2. In the navigation pane, choose APIs.
3. Select your API, and then choose Stages.
4. Choose your stage, and then choose the Logs/Tracing tab.
5. In CloudWatch Settings, select Enable CloudWatch Logs.
6. Set Log level to ERROR and INFO.
   Note: If you set Log level to ERROR, then API Gateway only logs request errors and doesn't log successful API requests.
7. Select Data tracing to turn on data trace logging for your stage.
   Note: It's a best practice not to activate Data tracing for production APIs because API Gateway might log sensitive data.
8. For Custom Access Logging, choose Enable Access Logging.

Verify your logging method

By default, all API resources use the same configuration as the API resource stage. If you don't want to inherit the stage, then override the setting and set different configurations.

Complete the following steps:

1. Open the API Gateway console.
2. In the navigation pane, choose APIs.
3. Select your API, and then choose Stages.
4. In Stages, expand your stage name. Then choose your HTTP method, for example, GET.
5. Under Settings, choose Override for this method.
   Note: To make additional log changes, update the necessary settings in the CloudWatch settings section.
6. Choose Save Changes.

Related information

How do I find API Gateway REST API errors in my CloudWatch logs?

How do I set up access logging for API Gateway?

How do I turn on CloudWatch Logs to troubleshoot my API Gateway REST API or WebSocket API?