# Forwarding AWS CloudWatch Logs to Sentry via the OpenTelemetry Protocol (OTLP)

This guide shows you how to collect AWS CloudWatch logs and forward them to Sentry using the OpenTelemetry Collector with the [AWS CloudWatch Receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awscloudwatchreceiver).

## [Prerequisites](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#prerequisites)

Before you begin, ensure you have:

* AWS credentials configured with permissions to read CloudWatch logs
* A Sentry project to send data to

## [Step 1: Install the OpenTelemetry Collector](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#step-1-install-the-opentelemetry-collector)

The AWS CloudWatch Receiver is included in the [OpenTelemetry Collector Contrib](https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib) distribution. You'll need to download and install this version, as the standard `otelcol` binary does not include the AWS CloudWatch Receiver.

Download the latest `otelcol-contrib` binary from the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

## [Step 2: Configure AWS Credentials](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#step-2-configure-aws-credentials)

The AWS CloudWatch Receiver uses the [AWS SDK](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html) for authentication, which supports multiple methods including credentials files and EC2 instance metadata (IMDS).

### [Using an AWS Credentials File](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#using-an-aws-credentials-file)

Configure your AWS credentials using the AWS CLI:

```bash
aws configure
```

This creates a credentials file at `~/.aws/credentials` with your access key and secret.

### [Using IAM Role (EC2)](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#using-iam-role-ec2)

For EC2 environments, attach an IAM role with the `CloudWatchLogsReadOnlyAccess` policy to your instance.

### [Required IAM Permissions](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#required-iam-permissions)

Your AWS credentials need the following permissions:

* `logs:DescribeLogGroups`
* `logs:DescribeLogStreams`
* `logs:GetLogEvents`

## [Step 3: Get Your Sentry OTLP Credentials](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#step-3-get-your-sentry-otlp-credentials)

You'll need your Sentry OTLP endpoint and authentication header. These can be found in your [Sentry Project Settings](https://sentry.io/settings/projects/) under **Client Keys (DSN)** > **OpenTelemetry (OTLP)**.

### [Logs Endpoint](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#logs-endpoint)

```bash
___OTLP_LOGS_URL___
```

### [Authentication Header](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#authentication-header)

```bash
x-sentry-auth: sentry sentry_key=___PUBLIC_KEY___
```

## [Step 4: Configure the Collector](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#step-4-configure-the-collector)

Create a configuration file with the AWS CloudWatch Receiver and the OTLP HTTP exporter configured to send logs to Sentry.

For additional configuration options, see the [AWS CloudWatch Receiver Documentation](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awscloudwatchreceiver).

### [Collect All Log Groups (Autodiscover)](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#collect-all-log-groups-autodiscover)

This configuration automatically discovers and collects logs from all CloudWatch log groups:

`config.yaml`

```yaml
receivers:
  awscloudwatch:
    region: us-east-1
    logs:
      poll_interval: 1m

processors:
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - awscloudwatch
      processors:
        - batch
      exporters:
        - otlphttp/sentry
```

### [Collect Specific Log Groups by Prefix](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#collect-specific-log-groups-by-prefix)

This configuration discovers log groups matching a specific prefix, useful for collecting logs from specific AWS services like EKS or Lambda:

`config.yaml`

```yaml
receivers:
  awscloudwatch:
    region: us-east-1
    logs:
      poll_interval: 1m
      groups:
        autodiscover:
          limit: 100
          prefix: /aws/lambda/

processors:
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - awscloudwatch
      processors:
        - batch
      exporters:
        - otlphttp/sentry
```

### [Collect Named Log Groups](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#collect-named-log-groups)

This configuration collects logs from specific, named log groups:

`config.yaml`

```yaml
receivers:
  awscloudwatch:
    region: us-east-1
    logs:
      poll_interval: 1m
      groups:
        named:
          /aws/lambda/my-function:
          /aws/eks/my-cluster/cluster:

processors:
  batch:
    send_batch_size: 1024
    send_batch_max_size: 2048
    timeout: "1s"

exporters:
  otlphttp/sentry:
    logs_endpoint: ___OTLP_LOGS_URL___
    headers:
      x-sentry-auth: "sentry sentry_key=___PUBLIC_KEY___"
    compression: gzip
    encoding: proto

service:
  pipelines:
    logs:
      receivers:
        - awscloudwatch
      processors:
        - batch
      exporters:
        - otlphttp/sentry
```

## [Troubleshooting](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#troubleshooting)

* Verify your AWS credentials are correctly configured and have the required permissions
* Ensure the specified AWS region matches where your CloudWatch log groups are located
* Check that the log group names or prefixes match existing CloudWatch log groups

## [Additional Resources](https://docs.sentry.io/product/drains/otlp-guides/aws-cloudwatch.md#additional-resources)

* [AWS CloudWatch Receiver Documentation](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awscloudwatchreceiver)
* [AWS SDK Authentication](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html)
* [Sentry OpenTelemetry Collector Configuration](https://docs.sentry.io/product/drains/integration/opentelemetry-collector.md)
* [Sentry Logs](https://docs.sentry.io/product/explore/logs.md)