How do I manage the log levels of my AWS IoT logs in AWS IoT Core?

4 minute read

I want to follow best practices when I configure my AWS IoT log levels in AWS IoT Core to reduce costs and data traffic.

Short description

Note: The following resolution is for only AWS IoT Core logs v2.

As a best practice, know what AWS IoT Core resources you must monitor and at what level. Divide your AWS IoT Core resources, and then assign each segment a suitable log level. You can set default log levels or specific log levels for your resources.

For example, configure default logging to have a less verbose log level, such as ERROR or WARN. When you configure default logging, the configuration is applied to all resources that don't have resource-specific logging configured. To have a more verbose level, such as INFO or DEBUG, configure resource-specific logging. You can configure resource-level logging for different target types, such as THING_GROUP, CLIENT_ID, SOURCE_IP, or PRINCIPAL_ID.

You can simultaneously use default logging and resource-specific logging.

Important: Based on your AWS IoT Core fleet size, more verbose log levels can incur higher costs and can be more difficult to troubleshoot. More verbose log levels also create higher data traffic. It's a best practice to use INFO or DEBUG only to temporarily troubleshoot. After you troubleshoot, reset log levels to a less verbose level. For more information about log levels, see Log levels.



  • You installed the AWS Command Line Interface (AWS CLI) on your local machine with AWS IoT administrator permission credentials. The default AWS Region for AWS CLI must point toward the targeted Region.
  • You have clients connected to your AWS IoT Core, either as registered or non-registered AWS IoT things.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use default logging to lower costs and data traffic

When you set the default log level for your AWS IoT logs to ERROR or WARN, you can review log errors or warnings. These verbose levels lower your costs and your data traffic. For more information, see How do I configure the default logging settings for AWS IoT Core?

Note: If you create an AWS Support case, then you must provide AWS IoT Core logs.

Manually log resources

For information about how to manually log resources, see How do I configure logging levels manually for specific resources in AWS IoT Core?

Dynamically log resources

For more information about how to dynamically log resources, see How do I configure logging levels dynamically for specific resources in AWS IoT Core?

Monitor log entries

Use either the Amazon CloudWatch console or the AWS CLI to monitor your AWS IoT log entries.

CloudWatch console

To monitor your AWS IoT logs in the CloudWatch console, see Viewing AWS IoT logs in the CloudWatch console.


To get your logs in the AWS CLI, run the filter-log-events command. Replace YourStartTimeInMilliseconds with your start time in milliseconds:

aws logs filter-log-events --log-group-name AWSIotLogsV2 \
 --start-time YourStartTimeInMilliseconds

Note: You can use the --filter-pattern to search for specific log attributes. For more information, see Filter and pattern syntax for metric filters, subscription filters, filter log events, and Live Tail.

The logLevel value is the log level that's configured for the target. In this example, the log level for the target is INFO:

 "timestamp": "2017-08-10 15:37:23.476",
 "logLevel": "INFO",
 "traceId": "20b23f3f-d7f1-feae-169f-82263394fbdb",
 "accountId": "123456789012",
 "status": "Success",
 "eventType": "Connect",
 "protocol": "MQTT",
 "clientId": "abf27092886e49a8a5c1922749736453",
 "principalId": "145179c40e2219e18a909d896a5340b74cf97a39641beec2fc3eeafc5a123456",
 "sourceIp": "",
 "sourcePort": 13490

Note: CLIENT_ID is available only when you connect to AWS IoT Core with MQTT or MQTT over WSS protocols. HTTPS protocol doesn't support client IDs. Instead, use SOURCE_IP or PRINCIPAL_ID target types.

Edit or delete log levels

You can change the default log level and resource-specific log level at any time. It can take up to 10 minutes for the changes to complete.

Run the delete-v2-logging-level AWS CLI command. Replace YourTargetName with your target's name:

aws iot delete-v2-logging-level \
 --target-name YourTargetName

Related information

AWS IoT Device Management endpoints and quotas

Monitoring AWS IoT

AWS IoT Device Management pricing

AWS OFFICIALUpdated 6 months ago

Hi, I am configuring the aws iot core logging and am not able to configure it the way I need it. The configuration I want is:

  • Disable logging generally
  • Enable logging to a specific THING_GROUP only (MyThingGroup)

If I disable logging from the settings console, I do not have any logging:

{ "logTargetConfigurations": [ { "logTarget": { "targetType": "DEFAULT" }, "logLevel": "DISABLED" }, { "logTarget": { "targetType": "THING_GROUP", "targetName": "MyThingGroup" }, "logLevel": "DEBUG" } ] }

I changed it to ERROR (general) and DEBUG to THING_GROUP, but it did not work. I do not see any log from devices in THING_GROUP:

{ "logTargetConfigurations": [ { "logTarget": { "targetType": "DEFAULT" }, "logLevel": "ERROR" }, { "logTarget": { "targetType": "THING_GROUP", "targetName": "MyThingGroup" }, "logLevel": "DEBUG" } ] }

I also changed to DEBUG (general) and to ERROR the THING_GROUP, but it creates 2 log entries, neither of level ERROR:

{"logTargetConfigurations": [{"logTarget": {"targetType": "DEFAULT"},"logLevel": "DEBUG"},{"logTarget": {"targetType": "THING_GROUP","targetName": "MyThingGroup"},"logLevel": "ERROR"}]}

Can someone support? Best, GP

replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 7 months ago

Hi @GP, I would suggest that you check if the things that are added to the thing group are connecting using their client ID exactly the same as their registered/associated thing name; otherwise it will not work. Also, after applying a log level to the target (thing group in your case) you would need to await a few minutes and then test again. Basically, all this as indicated in the linked article ( mentioned in the section "Manually log resources".

Another source of issue I can think of is that you could be checking an AWS region which your devices are not connecting to and therefore no log entries are found. So, best to double check this and test again.

replied 5 months ago