Access Logs Configuration
Define a LogGroup:
MyApiLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub /aws/apigateway/states/${AWS::StackName}-Logs
Assign the LogGroup to the AccessLogSettings property of the HttpApi:
MyApi:
Type: AWS::Serverless::HttpApi
Properties:
StageName: !Ref Stage
AccessLogSettings:
DestinationArn: !GetAtt MyApiLogGroup.Arn
Format: '{"requestTime":"$context.requestTime","requestId":"$context.requestId","httpMethod":"$context.httpMethod","path":"$context.path","routeKey":"$context.routeKey","status":$context.status,"responseLatency":$context.responseLatency}'
Access Logs Format
General Info:
{
"requestTime": "$context.requestTime",
"requestId": "$context.requestId",
"httpMethod": "$context.httpMethod",
"path": "$context.path",
"resourcePath": "$context.resourcePath", // Not supported by HTTP API. Used $routeKey instead.
"routeKey": "$context.routeKey", // Only supported by HTTP API
"status": $context.status, // Note: no quotation marks around the value
"responseLatency": $context.responseLatency, // Note: no quotation marks around the value
"xrayTraceId": "$context.xrayTraceId" // Optional -- only if using X-Ray. Not supported by HTTP API
}
Integration Info:
{
"integrationRequestId": "$context.integration.requestId", // Most important!
"functionResponseStatus": "$context.integration.status",
"integrationLatency": "$context.integration.latency",
"integrationServiceStatus": "$context.integration.integrationStatus"
}
All Variables (data models, authorizers, mapping templates, and CloudWatch access logging):
| $context.accountId | $context.apiId |
| $context.authorizer.claims.property | $context.authorizer.principalId |
| $context.authorizer.property | $context.awsEndpointRequestId |
| $context.domainName | $context.domainPrefix |
| $context.error.message | $context.error.messageString |
| $context.error.responseType | $context.error.validationErrorString |
| $context.extendedRequestId | $context.httpMethod |
| $context.identity.accountId | $context.identity.apiKey |
| $context.identity.apiKeyId | $context.identity.caller |
| $context.identity.cognitoAuthenticationProvider | $context.identity.cognitoAuthenticationType |
| $context.identity.cognitoIdentityId | $context.identity.cognitoIdentityPoolId |
| $context.identity.principalOrgId | $context.identity.sourceIp |
| $context.identity.clientCert.clientCertPem | $context.identity.clientCert.subjectDN |
| $context.identity.clientCert.issuerDN | $context.identity.clientCert.serialNumber |
| $context.identity.clientCert.validity.notBefore | $context.identity.clientCert.validity.notAfter |
| $context.identity.user | $context.identity.userAgent |
| $context.identity.userArn | $context.path |
| $context.protocol | $context.requestId |
| $context.requestOverride.header.header_name | $context.requestOverride.path.path_name |
| $context.requestOverride.querystring.querystring_name | $context.responseOverride.header.header_name |
| $context.responseOverride.status | $context.requestTime |
| $context.requestTimeEpoch | $context.resourceId |
| $context.resourcePath | $context.stage |
| $context.wafResponseCode | $context.webaclArn |
Specific to Access Logging
| $context.authorize.latency | $context.authorize.status |
| $context.authorizer.error | $context.authorizer.integrationLatency |
| $context.authorizer.integrationStatus | $context.authorizer.latency |
| $context.authorizer.requestId | $context.authorizer.status |
| $context.authenticate.error | $context.authenticate.latency |
| $context.authenticate.status | $context.customDomain.basePathMatched |
| $context.integration.error | $context.integration.integrationStatus |
| $context.integration.latency | $context.integration.requestId |
| $context.integration.status | $context.integrationErrorMessage |
| $context.integrationLatency | $context.integrationStatus |
| $context.responseLatency | $context.responseLength |
| $context.status | $context.waf.error |
| $context.waf.latency | $context.waf.status |
| $context.xrayTraceId |
See API Gateway mapping template and access logging variable reference