Skip to content

Add CloudWatch logs export to egress private endpoints doc #21658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jhlodin wants to merge 2 commits into
base: main
Choose a base branch
from
+28 −0
Open

Add CloudWatch logs export to egress private endpoints doc #21658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2bae2c4
Add CloudWatch logs export to egress private endpoints doc
jhlodin Dec 15, 2025
b085241
Merge branch 'main' into jl/doc-14843
jhlodin Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions src/current/cockroachcloud/egress-private-endpoints.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,28 @@ curl https://cockroachlabs.cloud/api/v1/clusters/{cluster_id}/networking/egress-
}'
~~~

#### Amazon CloudWatch logs export endpoint

Log export to Amazon CloudWatch requires one private service endpoint per CockroachDB Cloud region, with each endpoint mapping to a respective CloudWatch instance for that region. Since CloudWatch is an AWS-managed service, they are scoped to the AWS account where the endpoint is created. The access keys on the export dictate which CloudWatch account receives the logs.

To export all logs across multiple regions to a single CloudWatch instance, [configure custom DNS](#configure-custom-dns) that maps a CloudWatch instance's domain name for each region to the single instance. In this situation, the `logexport` endpoint sets the `region` field to the region of the CloudWatch instance.

For more information about log export to Amazon CloudWatch, read the [log export documentation]({% link cockroachcloud/export-logs.md %}).

{% include_cached copy-clipboard.html %}
~~~ shell
curl https://cockroachlabs.cloud/api/v1/clusters/{cluster_id}/networking/egress-private-endpoints \
-X POST \
-H "Authorization: Bearer {secret_key}" \
-H 'Content-Type: application/json' \
-d '{
"cluster_id": "{cluster_id}",
"region": "us-east-1",
"target_service_identifier": "com.amazonaws.us-east-1.log",
"target_service_type": "PRIVATE_SERVICE"
}'
~~~

#### MSK cluster endpoint

{% include_cached copy-clipboard.html %}
Expand Down
6 changes: 6 additions & 0 deletions src/current/cockroachcloud/export-logs-advanced.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,12 @@ To enable log export for your CockroachDB {{ site.data.products.advanced }} clus
Once log export has been enabled, logs generated going forward are sent to the specified cloud sink. Logs are not back-filled to the specified cloud sink.
{{site.data.alerts.end}}

## Send logs over a private cloud connection

You can send logs to Amazon CloudWatch from private egress endpoints on your CockroachDB {{ site.data.products.cloud }} clusters to ensure they are sent over private connections within the cloud service.

To learn more, read the [egress private endpoints documentation]({% link cockroachcloud/egress-private-endpoints.md %}).

## Monitor the status of a log export configuration

To check the status of an existing CockroachDB {{ site.data.products.advanced }} log export configuration, use the following Cloud API command:
Expand Down
Loading