I was recently struggling with getting a CloudWatch alarm on a log filter metric to work. I was refactoring the creation from a CloudFormation template into just Lambda Python code. I was able to get both the filter metric (looking for errors and exceptions in logs) and alarm created.
But, when I tested the alarm, it never went into an alarm state, even when then metric filter showed active data. It was driving me crazy.
Here is a Cloudformation template snippet to create a CloudTrail that is used to also record data events for Lambda invocations and S3 operations in addition to the typical management events from CloudTrail.
CloudTrail: Type: AWS::CloudTrail::Trail DependsOn: - SNSTopicPolicy - S3BucketPolicy Properties: S3BucketName: Ref: S3Bucket SnsTopicName: Fn::GetAtt: - SNSTopic - TopicName IsLogging: true EnableLogFileValidation: true IncludeGlobalServiceEvents: true IsMultiRegionTrail: true EventSelectors: - DataResources: - Type: AWS::Lambda::Function Values: - arn:aws:lambda - DataResources: - Type: AWS::S3::Object Values: - "arn:aws:s3:::"
I recently tried to schedule an AWS Lambda defined through a SAM template to run every 10 minutes. I used some online cron expression builders but the syntax would not work with Cloudwatch.
Somehow, I missed this reference in the Schedule Expressions for Rules. The online expression builder puts * for both day of the month and day of the week.
You cannot use * in both the Day-of-month and Day-of-week fields.