How do I configure the default logging settings for AWS IoT Core?

Short description

Note: This article relates to only V2 of AWS IoT Core logs.

It's a best practice to set default logging to a low verbosity level for your AWS IoT Core and configure resource-specific logging to a higher verbosity level. Log verbosity levels include DISABLED (lowest), ERROR, WARN, INFO, and DEBUG (highest).

Important: Depending on your AWS IoT Core fleet size, turning on more verbose log levels can incur high costs and make troubleshooting more difficult. Turning on more verbose log levels also creates higher data traffic. It's a best practice to use INFO or DEBUG only as a temporary measure when troubleshooting. After troubleshooting is complete, reset logging levels back to a less verbose setting.

Resolution

Prerequisite

Make sure that you have the AWS Command Line Interface (AWS CLI) installed locally with IoT admin permission credentials. The default AWS Region for AWS CLI must point towards the targeted AWS Region. You must have clients connected to and interacting with your AWS IoT Core endpoints, either as registered or non-registered IoT things.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Set the default logging levels

By setting the default logging level for your AWS IoT logs to ERROR or WARN, you can review log errors or warnings when they occur.

Note: If you reach out to AWS Support for assistance, you must provide AWS IoT Core logs for them to troubleshoot. This information is considered customer data and can't be accessed by AWS Support.

1.    Run the list-v2-logging-levels AWS CLI command to find your current applied logging level configurations:

aws iot list-v2-logging-levels

You receive a NotConfiguredException error if AWS IoT logs isn't configured because no logging levels have been set.

If AWS IoT Core logs is configured but turned off, then you receive an output similar to the following:

{
 "logTargetConfigurations": [
 {
 "logTarget": {
 "targetType": "DEFAULT"
 },
 "logLevel": "DISABLED"
 }
 ]
}

2.    Run the following command to confirm the AWS Identity and Access Management (IAM) role currently configured for AWS IoT Core logs:

aws iot get-v2-logging-options

You receive an output similar to the following if an IAM role is configured:

{
"roleArn": "arn:aws:iam::123456789012:role/service-role/iot-log-role",
"defaultLogLevel": "DISABLED",
"disableAllLogs": false
}

Note: If there isn't an IAM role configured, then AWS IoT Core can't send logs to Amazon CloudWatch and this feature isn't available for you to use.

3.    Set AWS IoT Core default logging to one of the less verbose logging levels such as ERROR or WARN. This can be done using the AWS IoT console or AWS CLI:

Note: If you are troubleshooting an issue and don't have specific client attributes, then you can temporarily set the default logging level to DEBUG. Setting the level to DEBUG generates significant costs and data traffic, depending on the fleet size and the duration that it spent at this level.

AWS IoT Console

1.    Sign in to the AWS IoT console. Note: Make sure to choose the AWS Region you want to configure.

2.    In the navigation pane, choose Settings.

3.    Under Logs, choose Manage Logs.

4.    Under Log role, choose Create Role. Enter a name for the role, then choose Create.

5.    Under Log level, choose one of the less verbose logging levels (ERROR or WARN).

6.    Choose Update.

7.    Open the IAM console.

8.    In the navigation pane, choose Roles.

9.    Enter the name of log role that you created in the search box, and then select the role.

10.    Under Summary, note the ARN of the log role. It will look similar to arn:aws:iam::123456789012:role/service-role/iot-log-role.

AWS CLI

1.    Create an IAM role with a specific IAM policy to be used for your AWS IoT Core logs service.

2.    Run the following command to set the default logging level to WARN:

aws iot set-v2-logging-options \
 --role-arn arn:aws:iam::123456789012:role/service-role/iot-log-role \
 --default-log-level WARN

Note: In this example, replace --role-arn with the IAM role's ARN you created. Replace WARN with the logging level that you want to set as the default level.

3.    Run the following command to confirm that the changes are reflected in your logging levels:

aws iot list-v2-logging levels

The output looks similar to the following message:

{
 "logTargetConfigurations": [
 {
 "logTarget": {
 "targetType": "DEFAULT"
 },
 "logLevel": "WARN"
 }
 ]
}

4.    Run the following command to confirm the changes are reflected on your logging options:

aws iot list-v2-logging-options

The output looks similar to the following message:

{
 "roleArn": "arn:aws:iam::123456789012:role/service-role/iot-log-role",
 "defaultLogLevel": "WARN",
 "disableAllLogs": false
}

Monitor generated logs

It's a best practice to monitor your IoT logs for issues or problems. You can use either the Amazon CloudWatch Logs Console or the AWS CLI to monitor your AWS IoT Core logs. For more information, see the "Monitoring log entries" section of How do I best manage the logging levels of my AWS IoT logs in AWS IoT Core?

Related information

Monitoring AWS IoT

How do I configure logging levels dynamically for specific resources in AWS IoT Core?

How do I configure logging levels manually for specific resources in AWS IoT Core?