Logging Amazon CloudSearch Configuration
Service Calls Using AWS CloudTrail
Amazon CloudSearch is integrated with CloudTrail, a service that logs all AWS API calls made by, or on
behalf of, your AWS account.The log files are delivered to the Amazon S3 bucket that you specify.
CloudTrail captures all Amazon CloudSearch configuration service API calls, including those submitted
by the Amazon CloudSearch console.
You can use the information collected by CloudTrail to monitor activity for your search domains.You can
determine what request was made to Amazon CloudSearch, the source IP address from which the request
was made, who made the request, when it was made, and so on.To learn more about CloudTrail, including
how to configure and enable it, see the AWS CloudTrail User Guide.
Amazon CloudSearch Information in CloudTrail
When CloudTrail logging is enabled in your AWS account, API calls made to Amazon CloudSearch actions
are tracked in log files. Amazon CloudSearch records are written together with other AWS service records
in a log file. CloudTrail determines when to create and write to a new file based on a time period and file
All Amazon CloudSearch configuration service actions are logged. For example, calls to CreateDomain,
DescribeDomains, and UpdateServiceAccessPolicies generate entries in the CloudTrail log files.
For the complete list of actions, see Actions (p.152).
Every log entry contains information about who generated the request.The user identity information in
the log helps you determine whether the request was made with root or IAM user credentials, with
temporary security credentials for a role or federated user, or by another AWS service. For more
information, see the userIdentity field in the CloudTrail Event Reference.
You can store your log files in your bucket for as long as you want, but you can also define Amazon S3
lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted by using
Amazon S3 server-side encryption (SSE).
You can choose to have CloudTrail publish Amazon SNS notifications when new log files are delivered
if you want to take quick action upon log file delivery. For more information, see Configuring Amazon
You can also aggregate Amazon CloudSearch log files from multiple AWS regions and multiple AWS
accounts into a single Amazon S3 bucket. For more information, see Aggregating CloudTrail Log Files
to a Single Amazon S3 Bucket.
Understanding Amazon CloudSearch Log File Entries
CloudTrail log files contain one or more log entries where each entry is made up of multiple JSON-formatted
events. A log entry represents a single request from any source and includes information about the
requested action, any parameters, the date and time of the action, and so on.The log entries are not
guaranteed to be in any particular order—they are not an ordered stack trace of the public API calls.
CloudTrail log files include events for all AWS API calls for your AWS account, not just calls to the Amazon
CloudSearch configuration service API. However, you can read the log files and scan for the eventSource
cloudsearch.amazonaws.com.The eventName element contains the name of the configuration service
action that was called.
The following example shows a CloudTrail log for a user who created a search domain and then configured
an index field for the domain.The corresponding API calls (CreateDomain and DefineIndexField)
API Version 2013-01-01
Amazon CloudSearch Developer Guide
Logging Configuration Service Calls Using CloudTrail