> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CloudWatch

> Configure log shipping from Control Plane to AWS CloudWatch for real-time monitoring and log analysis.

## Overview

[AWS CloudWatch](https://aws.amazon.com/cloudwatch/) is a comprehensive monitoring and management service designed to provide real-time insights into your AWS resources and applications. It enables you to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS environment.

By utilizing [AWS CloudWatch](https://aws.amazon.com/cloudwatch/), you can gain valuable insights into your system's performance, troubleshoot issues promptly, and maintain a high level of operational health. Its integration with other AWS services makes it an essential tool for maintaining and optimizing your cloud infrastructure.

Follow the steps below to configure log shipping to CloudWatch.

## Step 1 - Credential Procurement

AWS credentials are required to ship logs to CloudWatch.

To obtain AWS credentials and store it, follow the guide here: [AWS key](/reference/secret#amazon-web-services-aws)

## Step 2 - Configure External Logging

External logging can be configured by using either the [UI Console](#enable-logging-using-the-ui-console) or [CLI](#enable-logging-using-the-cli).

<Tip>
  For `groupName` and `streamName` follow [Fluent Bit templating](https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/record-accessor#limitations-of-record_accessor-templating). Use $stream, $location, $provider, $replica, $workload, $gvc, $org, $container, \$version to template.
</Tip>

### Enable Logging using the UI Console

1. From the Control Plane Console UI, click on `Org` in the left menu.
2. Click `External Logs` in the middle context menu.
3. Select `CloudWatch` and fill out the required fields.
4. Select the AWS secret created to authenticate to AWS. Refer to the [credential procurement](#step-1-credential-procurement) section to obtain and configure the necessary credentials.
5. Click `Save`.
6. After the configuration is complete, log entries will be available at CloudWatch within a few minutes.

### Enable Logging using the CLI

The external logging configuration can be created / updated using the CLI's `cpln org patch ORG_NAME -f FILE.yaml` command.

Below is an example of an [Org](/reference/org) manifest (in YAML). Edit and save the YAML as a file and use it as an input to the CLI's `cpln org patch ORG_NAME -f FILE.yaml` command.

Refer to the [credential procurement](#step-1-credential-procurement) section to obtain and configure the necessary credentials.

* Substitute: ORG\_NAME, AWS\_SECRET and possibly the region, retentionDays, groupName and streamName.

```yaml YAML theme={null}
kind: org
name: ORG_NAME
spec:
  logging:
    cloudWatch:
      region: us-east-1
      credentials: //secret/AWS_SECRET
      retentionDays: 7
      groupName: $gvc
      streamName: $workload
```