Search code examples

AWS Cloudwatch setup with Winston

I have been reading various articles/docs and watching some videos on this topic. My issue is that they all conflict in one way or another.

My goal is to use winston to send all console.logs/error messages from my ec2 server to Cloudwatch so that no logs are ever logged on the ec2 terminal itself.

Points of confusion:

  1. If I use winston-aws-cloudwatch or winston-cloudwatch, do I still need to setup an IAM user on AWS or will these auto generate logs within Cloudwatch?
  2. If I setup Cloudwatch as per AWS documentation will that automatically stream any would be console.logs from the EC2 server to Cloudwatch or will it do both? If the first one, then I don't need Winston?
  3. Can I send logs from my local development server to Cloudwatch (just for testing purposes, as soon as it is clear it works, then I would test on staging and finally move it to production) or must it come from an EC2 instance?
  4. I assume the AWS Cloudwatch key is the same as the AWS key I use for the rest of my account?

Present code:

var winston = require('winston'),
  CloudWatchTransport = require('winston-aws-cloudwatch');

const logger = new winston.Logger({
  transports: [
    new (winston.transports.Console)({
      timestamp: true,
      colorize: true

const cloudwatchConfig = {
  logGroupName: 'groupName',
  logStreamName: 'streamName',
  createLogGroup: false,
  createLogStream: true,
  awsConfig: {
    aws_access_key_id: process.env.AWS_KEY_I_USE_FOR_AWS,
    aws_secret_access_key: process.env.AWS_SECRET_KEY_I_USE_FOR_AWS,
    region: process.env.REGION_CLOUDWATCH_IS_IN
  formatLog: function (item) {
    return item.level + ': ' + item.message + ' ' + JSON.stringify(item.meta)

logger.level = 3;

if (process.env.NODE_ENV === 'development') logger.add(CloudWatchTransport, cloudwatchConfig); = {
  write: function(message, encoding) {;

logger.error('Test log');


    1. Yes
    2. Depends on the transports you configure. If you configure only CloudWatch than it will only end up there. Currently your code has 2 transports, the normal Console one and the CloudWatchTransport so with your current code, both.
    3. As long as you specify your keys as you would normally do with any AWS service (S3, DB, ...) you can push logs from your local/dev device to CloudWatch.
    4. Depends on your IAM user if he has the privileges or not. But it is possible yes.