Skip to main content
Sumo Logic

Collect Logs for the AWS Lambda App

See the steps to collect CloudWatch Lambda logs, and CloudTrail Lambda Data Events.

Amazon CloudWatch Logs

AWS Lambda monitors Lambda functions, and reports metrics through Amazon CloudWatch. Lambda then logs all requests handled by your function and stores logs through CloudWatch Logs.

To collect Amazon CloudWatch logs, see Amazon CloudWatch Logs.

The AWS Lambda App uses the Lambda logs via CloudWatch and visualizes operational and performance trends about all the Lambda functions in your account, providing insight into executions such as memory and duration usage, broken down by function versions or aliases.


CloudTrail Lambda Data Events

CloudTrail Lambda Data Events allow you to continuously monitor the execution activity of your Lambda functions, and to record details on when and by whom an Invoke API call was made. 

The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions invocation by Function name, version, AWS service, and threat details, by using the CloudTrail Lambda Data Events that capture and record the activities in your Lambda functions.


To configure a CloudTrail Source, perform these steps:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure DataEvents with CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. Add an AWS CloudTrail Source to Sumo Logic.

Sample Log Messages

This section provides samples of the Amazon CloudWatch Log and CloudTrail Lambda Data Events.

Amazon CloudWatch Log

{"id":"32563142671071560797760688825700039436306340248688066573","timestamp":1511808906799,"message":"REPORT RequestId: cf75cfa3-fe16-11e5-9b16-e3e4c70845f2    Duration: 50.23 ms    Billed Duration: 100 ms     Memory Size: 128 MB    Max Memory Used: 24 MB    

CloudTrail Lambda Data Events

   "userAgent":"aws-cli/1.11.129 Python/2.7.8 botocore/1.5.92",

Query Sample

Count of IAM users invoking CloudTrail Lambda function

_sourceCategory=cloudtrail/lambda "" Invoke

| json field=_raw "eventName" as event_name

| json field=_raw "sourceIPAddress" as src_ip

| json field=_raw "requestParameters.functionName" as func_name nodrop

| json field=_raw "additionalEventData.functionVersion" as func_version nodrop

| parse regex field=func_name "\w+:\w+:\S+:[\w-]+:\S+:\S+:(?<function_name>[\S]+)$"

| parse regex field=func_version "\w+:\w+:\S+:[\w-]+:\S+:\S+:(?<function_version>[\S]+:[\S ]+)$" | json field=_raw "userAgent" as user_agent

| json field=_raw "userIdentity.type" as caller_type

| json field=_raw "userIdentity.invokedBy"as invoked_by nodrop

| json field=_raw "userIdentity.userName"as user_name nodrop

| if (isNull(user_name), invoked_by, user_name ) as caller

| if (isNull(invoked_by), user_name, invoked_by ) as caller

| where caller_type = "IAMUser" 

| count by caller

| sort by _count


Maximum memory used in MB

_sourceCategory=aws_lambda/lambda*| json "message","logStream","logGroup"

| parse field=message "REPORT RequestId: *Duration: * ms\tBilled Duration: * ms \tMemory Size: * MB\tMax Memory Used: * MB" as RequestId, Duration,BilledDuration,MemorySize,MaxMemoryUsed

| parse field=logstream "*/[*]*" as logstreamDate,version,logstreamID

| parse field=loggroup "/aws/lambda/*" as function

| timeslice 1h

| sum(MaxMemoryUsed) as MaxMemoryUsed by function, _timeslice

| sort by _timeslice

| transpose row _timeslice column function