{"id":13813740,"url":"https://github.com/kislyuk/watchtower","last_synced_at":"2025-05-13T18:11:25.502Z","repository":{"id":44946924,"uuid":"36625204","full_name":"kislyuk/watchtower","owner":"kislyuk","description":"Python CloudWatch Logging: Log Analytics and Application Intelligence","archived":false,"fork":false,"pushed_at":"2025-02-25T15:09:59.000Z","size":749,"stargazers_count":803,"open_issues_count":22,"forks_count":115,"subscribers_count":19,"default_branch":"main","last_synced_at":"2025-05-03T07:55:15.834Z","etag":null,"topics":["aws","aws-cloudwatch-logs","cloudwatch-logs","python","python-logging"],"latest_commit_sha":null,"homepage":"https://kislyuk.github.io/watchtower/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kislyuk.png","metadata":{"files":{"readme":"README.rst","changelog":"Changes.rst","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["kislyuk"]}},"created_at":"2015-05-31T22:37:04.000Z","updated_at":"2025-04-29T03:37:56.000Z","dependencies_parsed_at":"2024-01-15T15:47:53.020Z","dependency_job_id":"f3689149-a79e-4eea-962b-5424f21ffd2c","html_url":"https://github.com/kislyuk/watchtower","commit_stats":{"total_commits":255,"total_committers":39,"mean_commits":6.538461538461538,"dds":"0.23529411764705888","last_synced_commit":"eb75a75981f675b16279266acd885234bf851b35"},"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislyuk%2Fwatchtower","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislyuk%2Fwatchtower/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislyuk%2Fwatchtower/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislyuk%2Fwatchtower/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kislyuk","download_url":"https://codeload.github.com/kislyuk/watchtower/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254000854,"owners_count":21997442,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-cloudwatch-logs","cloudwatch-logs","python","python-logging"],"created_at":"2024-08-04T04:01:28.105Z","updated_at":"2025-05-13T18:11:25.476Z","avatar_url":"https://github.com/kislyuk.png","language":"Python","funding_links":["https://github.com/sponsors/kislyuk"],"categories":["Python","AWS Cloudwatch"],"sub_categories":[],"readme":"Watchtower: Python CloudWatch Logging\n=====================================\nWatchtower is a log handler for `Amazon Web Services CloudWatch Logs\n\u003chttps://aws.amazon.com/blogs/aws/cloudwatch-log-service/\u003e`_.\n\nCloudWatch Logs is a log management service built into AWS. It is conceptually similar to services like Splunk, Datadog,\nand Loggly, but is more lightweight, cheaper, and tightly integrated with the rest of AWS.\n\nWatchtower, in turn, is a lightweight adapter between the `Python logging system\n\u003chttps://docs.python.org/library/logging.html\u003e`_ and CloudWatch Logs. It uses the `boto3 AWS SDK\n\u003chttps://github.com/boto/boto3\u003e`_, and lets you plug your application logging directly into CloudWatch without the need\nto install a system-wide log collector like `awscli-cwlogs \u003chttps://pypi.python.org/pypi/awscli-cwlogs\u003e`_ and round-trip\nyour logs through the instance's syslog. It aggregates logs into batches to avoid sending an API request per each log\nmessage, while guaranteeing a delivery deadline (60 seconds by default).\n\nInstallation\n~~~~~~~~~~~~\n::\n\n pip install watchtower\n\nSynopsis\n~~~~~~~~\nInstall `awscli \u003chttps://pypi.python.org/pypi/awscli\u003e`_ and set your AWS credentials (run ``aws configure``).\n\n.. code-block:: python\n\n import watchtower, logging\n logging.basicConfig(level=logging.INFO)\n logger = logging.getLogger(__name__)\n logger.addHandler(watchtower.CloudWatchLogHandler())\n logger.info(\"Hi\")\n logger.info(dict(foo=\"bar\", details={}))\n\nAfter running the example, you can see the log output in your `AWS console\n\u003chttps://console.aws.amazon.com/cloudwatch/home\u003e`_ under the **watchtower** log group.\n\nIAM permissions\n~~~~~~~~~~~~~~~\nThe process running watchtower needs to have access to IAM credentials to call the CloudWatch Logs API. The standard\nprocedure for loading and configuring credentials is described in the\n`Boto3 Credentials documentation \u003chttps://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html\u003e`_.\nWhen running Watchtower on an EC2 instance or other AWS compute resource, boto3 automatically loads credentials from\n`instance metadata \u003chttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html\u003e`_ (IMDS) or\ncontainer credentials provider (AWS_WEB_IDENTITY_TOKEN_FILE or AWS_CONTAINER_CREDENTIALS_FULL_URI). The easiest way to\ngrant the right permissions to the IAM role associated with these credentials is by attaching an AWS\n`managed IAM policy \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\u003e`_ to the\nrole. While AWS provides no generic managed CloudWatch Logs writer policy, we recommend that you use the\n``arn:aws:iam::aws:policy/AWSOpsWorksCloudWatchLogs`` managed policy, which has just the right permissions without being\noverly broad.\n\nLog Group Tagging\n~~~~~~~~~~~~~~~~~\nWatchtower supports the tagging of log groups. This can be done by adding the parameter ``log_group_tags`` to the\n``CloudWatchLogHandler`` constructor. This parameter should be a dictionary of tags to apply to the log group.\n\nIf you want to add tags to the log group you will need to add permission for the ``logs:TagResource`` action to your\npolicy. This will need to be in addition to the AWSOpsWorksCloudWatchLogs policy. (Note: the older ``logs:TagLogGroup``\npermission is for the ``tag_log_group()`` call which is on the path to deprecation and is not used by Watchtower.)\n\nExample: Flask logging with Watchtower\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nUse the following configuration to send Flask logs to a CloudWatch Logs stream called \"loggable\":\n\n.. code-block:: python\n\n import watchtower, flask, logging\n\n logging.basicConfig(level=logging.INFO)\n app = flask.Flask(\"loggable\")\n handler = watchtower.CloudWatchLogHandler(log_group_name=app.name)\n app.logger.addHandler(handler)\n logging.getLogger(\"werkzeug\").addHandler(handler)\n\n @app.route('/')\n def hello_world():\n return 'Hello World!'\n\n if __name__ == '__main__':\n app.run()\n\n(See also `http://flask.pocoo.org/docs/errorhandling/ \u003chttp://flask.pocoo.org/docs/errorhandling/\u003e`_.)\n\nExample: Django logging with Watchtower\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nThis is an example of Watchtower integration with Django. In your Django project, add the following to ``settings.py``:\n\n.. code-block:: python\n\n import boto3\n\n AWS_REGION_NAME = \"us-west-2\"\n\n boto3_logs_client = boto3.client(\"logs\", region_name=AWS_REGION_NAME)\n\n LOGGING = {\n 'version': 1,\n 'disable_existing_loggers': False,\n 'root': {\n 'level': 'DEBUG',\n # Adding the watchtower handler here causes all loggers in the project that\n # have propagate=True (the default) to send messages to watchtower. If you\n # wish to send only from specific loggers instead, remove \"watchtower\" here\n # and configure individual loggers below.\n 'handlers': ['watchtower', 'console'],\n },\n 'handlers': {\n 'console': {\n 'class': 'logging.StreamHandler',\n },\n 'watchtower': {\n 'class': 'watchtower.CloudWatchLogHandler',\n 'boto3_client': boto3_logs_client,\n 'log_group_name': 'YOUR_DJANGO_PROJECT_NAME',\n # Decrease the verbosity level here to send only those logs to watchtower,\n # but still see more verbose logs in the console. See the watchtower\n # documentation for other parameters that can be set here.\n 'level': 'DEBUG'\n }\n },\n 'loggers': {\n # In the debug server (`manage.py runserver`), several Django system loggers cause\n # deadlocks when using threading in the logging handler, and are not supported by\n # watchtower. This limitation does not apply when running on production WSGI servers\n # (gunicorn, uwsgi, etc.), so we recommend that you set `propagate=True` below in your\n # production-specific Django settings file to receive Django system logs in CloudWatch.\n 'django': {\n 'level': 'DEBUG',\n 'handlers': ['console'],\n 'propagate': False\n }\n # Add any other logger-specific configuration here.\n }\n }\n\nUsing this configuration, logs from Django will be sent to Cloudwatch in the log group ``YOUR_DJANGO_PROJECT_NAME``.\nTo supply AWS credentials to this configuration in development, set your \n`AWS CLI profile settings \u003chttps://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html\u003e`_ with\n``aws configure``. To supply credentials in production or when running on an EC2 instance,\nassign an IAM role to your instance, which will cause boto3 to automatically ingest IAM role credentials from\n`instance metadata \u003chttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html\u003e`_.\n\n(See also the `Django logging documentation \u003chttps://docs.djangoproject.com/en/dev/topics/logging/\u003e`_.)\n\nExamples: Querying CloudWatch logs\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nThis section is not specific to Watchtower. It demonstrates the use of awscli and jq to read and search CloudWatch logs\non the command line.\n\nFor the Flask example above, you can retrieve your application logs with the following two commands::\n\n aws logs get-log-events --log-group-name watchtower --log-stream-name loggable | jq '.events[].message'\n aws logs get-log-events --log-group-name watchtower --log-stream-name werkzeug | jq '.events[].message'\n\nIn addition to the raw get-log-events API, CloudWatch Logs supports\n`extraction of your logs into an S3 bucket \u003chttps://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html\u003e`_,\n`log analysis with a query language \u003chttps://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html\u003e`_,\nand alerting and dashboards based on `metric filters\n\u003chttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/FilterAndPatternSyntax.html\u003e`_, which are pattern\nrules that extract information from your logs and feed it to alarms and dashboard graphs. If you want to make use of\nthese features on the command line, the author of Watchtower has published an open source CLI toolkit called\n`aegea \u003chttps://github.com/kislyuk/aegea\u003e`_ that includes the commands ``aegea logs`` and ``aegea grep`` to easily\naccess the S3 Export and Insights features.\n\nExamples: Python Logging Config\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nThe Python ``logging.config`` module has the ability to provide a configuration file that can be loaded in order to\nseparate the logging configuration from the code.\n\nThe following are two example YAML configuration files that can be loaded using PyYAML. The resulting ``dict`` object\ncan then be loaded into ``logging.config.dictConfig``. The first example is a basic example that relies on the default\nconfiguration provided by ``boto3``:\n\n.. code-block:: yaml\n\n # Default AWS Config\n version: 1\n disable_existing_loggers: False\n handlers:\n console:\n class: logging.StreamHandler\n level: DEBUG\n stream: ext://sys.stdout\n logfile:\n class: logging.handlers.RotatingFileHandler\n level: DEBUG\n filename: watchtower.log\n maxBytes: 1000000\n backupCount: 3\n watchtower:\n class: watchtower.CloudWatchLogHandler\n level: DEBUG\n log_group_name: watchtower\n log_stream_name: \"{logger_name}-{strftime:%y-%m-%d}\"\n send_interval: 10\n create_log_group: False\n root:\n level: DEBUG\n propagate: True\n handlers: [console, logfile, watchtower]\n loggers:\n botocore:\n level: INFO\n urllib3:\n level: INFO\n\nThe above works well if you can use the default boto3 credential configuration, or rely on environment variables.\nHowever, sometimes one may want to use different credentials for logging than used for other functionality;\nin this case the ``boto3_profile_name`` option to Watchtower can be used to provide a boto3 profile name:\n\n.. code-block:: yaml\n\n # AWS Config Profile\n version: 1\n ...\n handlers:\n ...\n watchtower:\n boto3_profile_name: watchtowerlogger\n ...\n\nFinally, the following shows how to load the configuration into the working application:\n\n.. code-block:: python\n\n import logging.config\n\n import flask\n import yaml\n\n app = flask.Flask(\"loggable\")\n\n @app.route('/')\n def hello_world():\n return 'Hello World!'\n\n if __name__ == '__main__':\n with open('logging.yml') as log_config:\n config_yml = log_config.read()\n config_dict = yaml.safe_load(config_yml)\n logging.config.dictConfig(config_dict)\n app.run()\n\nLog stream naming\n~~~~~~~~~~~~~~~~~\nFor high volume logging applications that utilize process pools, it is recommended that you keep the default log stream\nname (``{machine_name}/{program_name}/{logger_name}/{process_id}``) or otherwise make it unique per source using a\ncombination of these template variables. Because logs must be submitted sequentially to each log stream, independent\nprocesses sending logs to the same log stream will encounter sequence token synchronization errors and spend extra resources\nautomatically recovering from them. As the number of processes increases, this overhead will grow until logs fail to\ndeliver and get dropped (causing a warning on stderr). Partitioning logs into streams by source avoids this contention.\n\nBoto3/botocore/urllib3 logs\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\nBecause watchtower uses boto3 to send logs, the act of sending them generates a number of DEBUG level log messages\nfrom boto3's dependencies, botocore and urllib3. To avoid generating a self-perpetuating stream of log messages,\n``watchtower.CloudWatchLogHandler`` attaches a\n`filter \u003chttps://docs.python.org/3/library/logging.html#logging.Handler.addFilter\u003e`_ to itself which drops all DEBUG\nlevel messages from these libraries, and drops all messages at all levels from them when shutting down (specifically,\nin ``watchtower.CloudWatchLogHandler.flush()`` and ``watchtower.CloudWatchLogHandler.close()``). The filter does not\napply to any other handlers you may have processing your messages, so the following basic configuration will cause\nbotocore debug logs to print to stderr but not to Cloudwatch:\n\n.. code-block:: python\n\n import watchtower, logging\n logging.basicConfig(level=logging.DEBUG)\n logger = logging.getLogger()\n logger.addHandler(watchtower.CloudWatchLogHandler())\n\nAWS Lambda\n~~~~~~~~~~\nWatchtower is not suitable or necessary for applications running on AWS Lambda. All AWS Lambda logs (i.e. all lines\nprinted to stderr by the runtime in the Lambda) are automatically sent to CloudWatch Logs, into\n`log groups under the /aws/lambda/ prefix \u003chttps://console.aws.amazon.com/cloudwatch/home?#logsV2:log-groups$3FlogGroupNameFilter$3D$252Faws$252Flambda\u003e`_.\n\nAWS Lambda `suspends (freezes) all processes in its execution environment \u003chttps://docs.aws.amazon.com/lambda/latest/dg/runtimes-context.html\u003e`_\nonce the invocation is complete and until the next invocation, if any. This means any asynchronous background\nprocesses and threads, including watchtower, will be suspended and inoperable, so watchtower cannot function\ncorrectly in this execution model.\n\nAuthors\n~~~~~~~\n* Andrey Kislyuk\n\nLinks\n~~~~~\n* `Project home page (GitHub) \u003chttps://github.com/kislyuk/watchtower\u003e`_\n* `Documentation \u003chttps://kislyuk.github.io/watchtower/\u003e`_\n* `Package distribution (PyPI) \u003chttps://pypi.python.org/pypi/watchtower\u003e`_\n* `AWS CLI CloudWatch Logs plugin \u003chttps://pypi.python.org/pypi/awscli-cwlogs\u003e`_\n* `Docker awslogs adapter \u003chttps://github.com/docker/docker/blob/master/daemon/logger/awslogs/cloudwatchlogs.go\u003e`_\n\nBugs\n~~~~\nPlease report bugs, issues, feature requests, etc. on `GitHub \u003chttps://github.com/kislyuk/watchtower/issues\u003e`_.\n\nVersioning\n~~~~~~~~~~\nThis package follows the `Semantic Versioning 2.0.0 \u003chttp://semver.org/\u003e`_ standard. To control changes, it is\nrecommended that application developers pin the package version and manage it using `pip-tools\n\u003chttps://github.com/jazzband/pip-tools\u003e`_ or similar. For library developers, pinning the major version is\nrecommended.\n\nLicense\n~~~~~~~\nLicensed under the terms of the `Apache License, Version 2.0 \u003chttp://www.apache.org/licenses/LICENSE-2.0\u003e`_.\n\n.. image:: https://github.com/kislyuk/watchtower/workflows/CI/badge.svg\n :target: https://github.com/kislyuk/watchtower/actions\n.. image:: https://codecov.io/github/kislyuk/watchtower/coverage.svg?branch=master\n :target: https://codecov.io/github/kislyuk/watchtower?branch=master\n.. image:: https://img.shields.io/pypi/v/watchtower.svg\n :target: https://pypi.python.org/pypi/watchtower\n.. image:: https://img.shields.io/pypi/l/watchtower.svg\n :target: https://pypi.python.org/pypi/watchtower\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkislyuk%2Fwatchtower","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkislyuk%2Fwatchtower","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkislyuk%2Fwatchtower/lists"}