Amazon CloudWatch: Unveiling and Managing Stealthy Log Costs

Tim Schill
AWS Specialists
Published in
5 min readJun 15, 2023

Amazon CloudWatch, AWS’s omnipotent monitoring service, is invaluable in any AWS specialist’s toolkit. It offers us a vast array of metrics, alarms, dashboards, and insights that can help keep an eagle eye on AWS resources. But with great power comes a responsibility — managing the cost. The financial implications of CloudWatch, particularly ingestion, can be unexpectedly significant if not properly addressed.

This blog post will dissect the components contributing to stealthy CloudWatch costs and offer tactics to optimize them without compromising your monitoring capabilities.

CloudWatch Log Storage: The Breakdown

AWS operates on a pay-as-you-go philosophy; you pay for what you use. CloudWatch Log pricing primarily depends on data ingestion, storage, and analysis.

Ingestion and storage charges often become the culprits behind unexpected CloudWatch expenses. You are billed $0.50 per GB ingested and $0.03 per GB-Mo. As you can see, the cost of ingesting data is much more expensive than the cost of storage. So, we want to ensure we only send the data we need to CloudWatch.

Strategies to Curb CloudWatch Log Storage Costs

1. Streamline Your Logging

One of the crucial steps to managing your CloudWatch log storage costs lies in streamlining your logging. Unfortunately, an all-too-common oversight is excessive logging, which often passes under the radar but significantly bloats your storage costs.

Consider this: do all your logs contribute valuable insights? Redundant and verbose logging may seem harmless, but it can rapidly inflate your storage costs while offering minimal added value. Therefore, conducting a comprehensive review of your logging practices and streamlining them to maintain only logs that deliver substantial insights is crucial.

Search for log levels in the CloudWatch Logs console.

Identify the components that create noise in your logs and fine-tune their logging levels to optimize their output. Take Apache Solr as a case in point. Enabling INFO logging here can provide detailed search statistics, which is an asset when troubleshooting search performance issues. But beware! It can also lead to an unexpected cost surge into the thousands every month, especially if your Apache Solr server experiences heavy traffic.

A savvy approach would be to use INFO logging sparingly and only activate it when needed for troubleshooting. For example, in normal operation, you should limit your Apache Solr messages to WARN and ERROR levels, which can be directly sent to CloudWatch. This strategy can offer significant cost benefits without compromising on the required functionality.

2. Leverage Log Expiry

CloudWatch Logs lets you set an expiry period for your logs. After this period, logs get automatically deleted, saving storage. By default, logs are kept indefinitely. Review your retention policies and align them with your compliance and business needs. Great tools, such as aws-cloudwatch-log-minder, can help you automate this process.

Retention period
The predefined retention period in the CloudWatch Logs console.

3. Optimize Data Ingestion

Data ingestion charges in CloudWatch, incurred when you transmit logs, can accumulate incrementally if not adeptly managed. Therefore, before sending logs to CloudWatch, optimizing data ingestion by implementing log filters and patterns is crucial. This approach ensures that only pertinent logs, indispensable for your operations, are transmitted.

This optimization can be achieved in several ways, depending on the resources at your disposal. Some applications, such as Apache, can provide support for this task. For example, Apache’s error.log and access.log features can be employed to fine-tune what logs get sent to CloudWatch. In other scenarios, the configuration can be made directly in the logging framework, as seen in log4j in Java or logger in Python. However, in cases where these detailed configurations are not supported, setting the appropriate log level remains a feasible alternative.

Log levels
Log levels explained in text and numeric format.

A clever approach is segregating log levels into different files within your application. You could, for example, channel WARN and ERROR messages into a separate file and directly ingest that into CloudWatch. INFO messages, on the other hand, could be stored in a different file where log rotation can be enabled. Keeping them locally on the instance and utilizing batch uploads to S3 can offer a cost-effective solution, especially if you need to maintain them beyond instance termination.

Handle different log levels in Python
Handle different log levels in Python.

If the separation of log levels proves challenging, carefully evaluate the utility of the information you consider for ingestion. In some cases, WARN and ERROR levels may be sufficient. For applications where you have control over the logged information, ensure you include only valuable, actionable details in your log messages.

Only send NGINX error logs to CloudWatch
Configure the CloudWatch Logs agent to only import NGINX error logs.

It’s worth noting that certain AWS services like VPC flow logs, ELB access logs, and CloudFront access logs offer an alternative: storing logs directly on S3 instead of CloudWatch. When coupled with using Athena for searching through logs as needed, this option can result in considerable cost savings. For these logs, opting for S3 storage can halve your costs. As always, strategic and thoughtful management of log storage and data ingestion can go a long way in optimizing your CloudWatch expenditure.

4. Be wary of automated CloudWatch Logs Insights queries.

We have seen examples where developers have created automated queries in tools such as Grafana to query for log data they present in graphs. This can quickly rack up charges in hundreds of dollars every day if these queries scan through a lot of data. A better way is to create a metric filter on the log group. You can present this as a graph in a Dashboard and connect alarms to it.

CloudWatch Metric Filters
Create metric filters through the CloudWatch Logs console.

Conclusion

While CloudWatch is a mighty service, it’s essential for us as AWS specialists to keep a watchful eye on the costs associated with it. By optimizing our logging practices, leveraging built-in features, and thinking strategically about what and how we’re logging, we can prevent our CloudWatch log storage costs from spiraling out of control.

Remember, cost optimization in AWS is an ongoing process — regular audits and revisions of your usage are keys to cost-effective cloud management.

--

--