Amazon EC2 Container Service (ECS) Log Analysis

amazon ecs log analysis

Amazon EC2 Container Service (Amazon ECS) is a management service for running, stopping, and managing Docker containers on top of EC2 servers. These containers run on a cluster of EC2 instances, with ECS handling the automation side of things — the installation and operation of the underlying infrastructure.

All of the familiar Amazon services such as IAM, ELB, VPC, and auto-scaling can be used with these containers — making it a good solution for managing a containerized app that is scalable and robust enough to handle heavy loads.

Security for Docker containers is a touchy issue and is still very much a work-in-progress. There are a number of ways that ECS can help to alleviate the security issue. VPC and IAM are two examples of how to limit access to the Docker containers and their resources.

Logging is another aspect that makes using ECS for managing containers a safe option. ECS is also integrated with CloudTrail, so you can track all of the API calls made by ECS (both by the ECS console and the ECS API) and ship the resulting logs into S3 (here’s a list of the API calls tracked). These logs will provide you with information on the type of request made to ECS, the IP making the request, who made it and when, and more. All of this information important when you are auditing your system and compliance standards.

This article describes how to use the ELK Stack to log ECS. We will be establishing a pipeline of logs from ECS to CloudTrail and from CloudTrail to an S3 bucket. Then, we will pull the data from S3 into using the built-in S3 integration.

Note: Analyzing the logs generated by the Docker containers themselves is an entirely different story. I’ll cover this in part two of this series.


This article assumes that you have an ECS cluster setup in AWS. If you do not have that setup and are just getting started with the service, I highly recommend this Getting Started with ECS console walk-through — it will take you through the steps for setting up a cluster that is servicing a simple web application. I also recommend reading up on the ECS service on the AWS documentation site.

Enabling CloudTrail

Our first step is to enable CloudTrail logging (if you already have this setup, you can skip to the next step).

If CloudTrail has already been enabled, you will be adding a new trail. If this is the first time you are using CloudTrail, just follow the get-started instructions to enable the service. Either way, configuring the new trail is pretty straightforward.

turn on cloudtrail

Give a name for the new trail and configure the S3 bucket to which you will forward the logs. This is the bucket from which we will pull the logs to send them to the ELK Stack.

Click “Create” (or “Turn On,” if this is the first trail you are creating). Any API call made to AWS ECS will now be logged automatically to S3.

A good way to verify this is by using the AWS CLI command (you will need to install AWS CLI):

$ aws cloudtrail aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=ecs

ECS events will be displayed like this:

   "EventId": "55627f7e-4d82-487b-9ce9-b3933bfdf4ce",
   "Username": "root",
   "EventTime": 1470751491.0,
   "CloudTrailEvent": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"011173820421\",\"arn\":\"arn:aws:iam::011173820421:root\",\"accountId\":\"011173820421\",\"accessKeyId\":\"ASIAID2FMU6DNG5NYTIA\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2016-08-09T07:38:02Z\"}},\"invokedBy\":\"\"},\"eventTime\":\"2016-08-09T14:04:51Z\",\"eventSource\":\"\",\"eventName\":\"CreateLaunchConfiguration\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"\",\"userAgent\":\"\",\"requestParameters\":{\"ebsOptimized\":false,\"instanceMonitoring\":{\"enabled\":true},\"instanceType\":\"t2.medium\",\"associatePublicIpAddress\":true,\"keyName\":\"ecs\",\"launchConfigurationName\":\"EC2ContainerService-demo1-EcsInstanceLc-FYYHK63Y9OG\",\"imageId\":\"ami-55870742\",\"userData\":\"\\u003csensitiveDataRemoved\\u003e\",\"securityGroups\":[\"sg-87e71efd\"],\"iamInstanceProfile\":\"ecsInstanceRole\"},\"responseElements\":null,\"requestID\":\"3d806f0f-5e3a-11e6-b769-a5b2e233c878\",\"eventID\":\"55627f7e-4d82-487b-9ce9-b3933bfdf4ce\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"011173820421\"}",
   "EventName": "CreateLaunchConfiguration",
   "Resources": [
         "ResourceType": "AWS::EC2::SecurityGroup",
         "ResourceName": "sg-87e71efd"
         "ResourceType": "AWS::AutoScaling::LaunchConfiguration",
         "ResourceName": "EC2ContainerService-demo1-EcsInstanceLc-FYYHK63Y9OG"
         "ResourceType": "AWS::IAM::InstanceProfile",
         "ResourceName": "ecsInstanceRole"
         "ResourceType": "AWS::EC2::KeyPair",
         "ResourceName": "ecs"
         "ResourceType": "AWS::EC2::Ami",
         "ResourceName": "ami-55870742"

Shipping ECS event logs to

Now, it starts to get interesting. We’ve verified that API calls to the ECS service are being tracked by CloudTrail, so our next step is to configure our shipping pipeline from CloudTrail into the ELK Stack for further analysis.

To do this, we first need to make sure that you have the correct permissions to list buckets and get objects from all the paths under it.

Make sure that your IAM user has the following policies attached (replace “ecseventlogs” with the name of your S3 bucket):

      "Sid": "Stmt1467037144000",
      "Effect": "Allow",
      "Action": [
      "Resource": [
      "Sid": "Stmt1467037240000",
      "Effect": "Allow",
      "Action": [
      "Resource": [

Be sure to make note of the user credentials because our next step is to define the bucket in (this is under the Security Credentials tab on the User page).

Open the Log Shipping tab in the UI, and select the AWS -> CloudTrail Bucket section:

read cloudtrail logs

Enter the details of the S3 bucket that contains your ECS CloudTrail logs — the bucket name, the bucket path (e.g. /AWSLogs/011173820421/CloudTrail/), and the user credentials (access and security keys).

Click “save.” You should get a green message that confirms that your S3 bucket can now be accessed. If not, there is most likely a permissions issue — check out this troubleshooting article for more information.

Open the Discover tab in the Kibana dashboard that is built into the user interface. Your ECS logs will be displayed:

analyze ecs logs will parse CloudTrail logs for you, but you will need to refresh the mapping by opening the Setting page and clicking the Refresh Mapping button.

Analyzing ECS events

You have successfully established an event logging pipeline from CloudTrail into the ELK Stack, so all API calls made to ECS will now be displayed in your Kibana dashboard.

To get better visibility into the messages being logged, add some fields to the message list. For example, select the “eventName” and “eventResource” fields. This will allow you to see which AWS service is generating the event:

analyzing ecs events

Since multiple AWS services including EC2 and ELB are involved in running an ECS cluster, you will see a considerable number of events being tracked by CloudTrail. As an initial step, it’s a good idea to filter the messages using this query in Kibana:

You can now see a more distilled view of the API calls to ECS:

api calls to ecs

Selecting one of the entries, we will be able to view the logged message as it was indexed in Elasticsearch in JSON format:

   "_index": "logz-pusfjuomruyfnhdfzltthhjuiogamcvd-160810_v1",
   "_type": "cloudtrail",
   "_id": "AVZza9gdhGlaWDHRdu3A",
   "_score": null,
   "_source": {
      "eventID": "aaa65dc3-18e0-4e2d-b358-5ae7f2b9ff53",
      "awsRegion": "us-east-1",
      "geoip": {
         "city_name": "Tel Aviv",
         "timezone": "Asia/Jerusalem",
         "ip": "",
         "latitude": 32.0667,
         "country_code2": "IL",
         "country_name": "Israel",
         "country_code3": "ISR",
         "continent_code": "AS",
         "region_name": "05",
         "location": [
         "real_region_name": "Tel Aviv",
        "longitude": 34.766699999999986
      "eventVersion": "1.04",
      "responseElements": null,
      "sourceIPAddress": "",
      "eventSource": "",
      "requestParameters": {
         "maxResults": 100
      "userAgent": "",
      "userIdentity": {
         "accessKeyId": "ASIAJVYANKOS2U2EZQDQ",
         "sessionContext": {
            "attributes": {
            "mfaAuthenticated": "false",
      "creationDate": "2016-08-10T06:27:54Z"
      "accountId": "011173820421",
      "principalId": "011173820421",
      "type": "Root",
      "arn": "arn:aws:iam::011173820421:root"
   "eventType": "AwsApiCall",
   "type": "cloudtrail",
   "tags": [
   "@timestamp": "2016-08-10T07:41:30.000+00:00",
   "requestID": "5ffdab4d-fc83-4927-9ad3-4c990daf1a9f",
   "eventTime": "2016-08-10T07:41:30Z",
   "eventName": "ListClusters",
   "recipientAccountId": "011173820421"
 "fields": {
   "@timestamp": [
"highlight": {
   "eventSource": [

   "sort": [

Building an ECS Events dashboard

One of Kibana’s strengths is its easy ability to build beautiful visualizations on top of searches and queries. As an example, here is how you can build a security-oriented dashboard that can track who is accessing your ECS cluster and how.

Source IP Addresses

Let’s start with a simple visualization depicting the top source IP addresses. To do this, save the query above and use it for a new data table visualization (in Kibana, go to Visualize → Pie chart, and select the saved search).

The configuration for the table will display split rows of the top five values for the “sourceIPAddress” field. The configuration and the resulting visualization will look like this:

source ip table

Geomap for API calls

Our next visualization will create a map that details the geographic location of the ECS service consumers.

Using the same search, this time we’re going to select the “Tilemap” visualization type. The configuration is automatically loaded in this case (using the “geoip.location” field of the CloudTrail logs).

Here is the configuration and the end result:

geographic map of ip addresses

ECS Events Over Time

Another example is to show the number of calls to ECS over time. To do this, create a line chart visualization with an X-axis using the Date Histogram aggregation type.

The configuration and visualization:

ecs events over time

These are just three examples of visualizing the data in Kibana. Once you have a number of these visualizations set up, you can combine them into one comprehensive dashboard.

It goes without saying that there are many ways to slice and dice ECS data, and the method that you will use will depend on your use case and what specific information you are trying to analyze and visualize. comes with a built-in ELK Apps library of pre-made visualizations and dashboards — including ones for CloudTrail logs. Saving you the time of constructing visualizations one by one, you can install these apps in one click. A popular ELK app is the CloudTrail security and auditing dashboard, which includes visualizations for login and deletion actions, users, and other security and network related graphs.

Coming Next: Docker

By shipping CloudTrail logs into ELK, you can get a well-detailed picture on the API calls made to ECS.

Again, these are high-level logs and do not reveal information on what is transpiring within the Docker containers themselves. To monitor containers, a completely different solution is needed in which Docker logs, together with additional available Docker info (e.g. Docker stats, Docker daemon events) are collected from the containers. The next piece in this series will cover this aspect.

Observability at scale, powered by open source

Internal Live. Join the weekly live demo.
DevOps Pulse 2022: Observability Trends and Challenges.
Forrester Observability Snapshot.

Centralize Server Monitoring With

See Plans