search_cloudwatch_logs
Search AWS CloudWatch logs with filter patterns to find specific events, errors, or metrics within log groups for troubleshooting and monitoring.
Instructions
Search CloudWatch logs using a filter pattern (e.g., 'ERROR', 'Exception').
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| log_group_name | Yes | Name of the Log Group. | |
| filter_pattern | Yes | The filter pattern to use (e.g., 'ERROR', '{ $.latency > 100 }'). | |
| limit | No | Number of events to return (default: 50). | |
| hours | No | Time window in hours (default: 24). | |
| start_time | No | ||
| end_time | No |
Implementation Reference
- src/index.ts:1779-1813 (handler)Handler function that executes the search_cloudwatch_logs tool. Uses AWS CloudWatchLogsClient with FilterLogEventsCommand to query log events matching the filter pattern within a time window.
if (name === "search_cloudwatch_logs") { const groupName = (args as any).log_group_name; const filterPattern = (args as any).filter_pattern; const limit = (args as any)?.limit || 50; const hours = (args as any)?.hours || 24; const endTime = (args as any)?.end_time ? new Date((args as any).end_time).getTime() : Date.now(); const startTime = (args as any)?.start_time ? new Date((args as any).start_time).getTime() : endTime - (hours * 60 * 60 * 1000); try { const command = new FilterLogEventsCommand({ logGroupName: groupName, filterPattern: filterPattern, startTime: startTime, endTime: endTime, limit: limit }); const response = await cloudWatchLogsClient.send(command); const events = response.events?.map(e => ({ Timestamp: new Date(e.timestamp || 0).toISOString(), Message: e.message, LogStreamName: e.logStreamName })) || []; if (events.length === 0) { return { content: [{ type: "text", text: "No matching logs found." }] }; } return { content: [{ type: "text", text: JSON.stringify(events, null, 2) }] }; } catch (err: any) { return { content: [{ type: "text", text: `Error searching logs: ${err.message}` }], isError: true }; } } - src/index.ts:483-508 (schema)Input schema definition and registration of the search_cloudwatch_logs tool in the ListTools response.
name: "search_cloudwatch_logs", description: "Search CloudWatch logs using a filter pattern (e.g., 'ERROR', 'Exception').", inputSchema: { type: "object", properties: { log_group_name: { type: "string", description: "Name of the Log Group." }, filter_pattern: { type: "string", description: "The filter pattern to use (e.g., 'ERROR', '{ $.latency > 100 }')." }, limit: { type: "number", description: "Number of events to return (default: 50)." }, hours: { type: "number", description: "Time window in hours (default: 24)." }, start_time: { type: "string" }, end_time: { type: "string" } }, required: ["log_group_name", "filter_pattern"] } - src/index.ts:94-784 (registration)The tool is registered by including it in the tools array returned by the ListTools handler.
server.setRequestHandler(ListToolsRequestSchema, async () => { return { tools: [ { name: "get_aws_caller_identity", description: "Returns the AWS IAM caller identity (user/role) to verify credentials.", inputSchema: { type: "object", properties: {}, }, }, { name: "list_s3_buckets", description: "Lists all S3 buckets in the AWS account.", inputSchema: { type: "object", properties: { check_public_access: { type: "boolean", description: "If true, checks if buckets have public access enabled." } }, }, }, { name: "list_ec2_instances", description: "Lists EC2 instances in the current region, showing ID, type, state, and public IP.", inputSchema: { type: "object", properties: { region: { type: "string", description: "Optional AWS region to list instances from (overrides default)", }, }, }, }, { name: "list_iam_users", description: "Lists IAM users in the AWS account.", inputSchema: { type: "object", properties: {} } }, { name: "list_recent_cloudtrail_events", description: "Lists recent CloudTrail events to track console access and changes.", inputSchema: { type: "object", properties: { limit: { type: "number", description: "Number of events to return (default: 10).", }, lookup_attribute_key: { type: "string", description: "Attribute key to filter by (e.g., 'EventName', 'Username')." }, lookup_attribute_value: { type: "string", description: "Value for the lookup attribute." } } } }, { name: "list_cloudwatch_alarms", description: "Lists CloudWatch alarms, optionally filtering by state.", inputSchema: { type: "object", properties: { state: { type: "string", enum: ["OK", "ALARM", "INSUFFICIENT_DATA"], description: "Filter alarms by state." } } } }, { name: "get_recent_cost", description: "Retrieves daily AWS costs for the specified date range (default: last 7 days).", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date in YYYY-MM-DD format." }, end_date: { type: "string", description: "End date in YYYY-MM-DD format." } } } }, { name: "get_cost_by_service", description: "Retrieves AWS costs broken down by service for the specified date range.", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date in YYYY-MM-DD format." }, end_date: { type: "string", description: "End date in YYYY-MM-DD format." } } } }, { name: "get_cost_breakdown", description: "Detailed cost analysis. If service_name is provided, breaks down that service by Usage Type. Otherwise, breaks down by Service.", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date in YYYY-MM-DD format (default: 14 days ago)." }, end_date: { type: "string", description: "End date in YYYY-MM-DD format." }, service_name: { type: "string", description: "Optional: Specific service to analyze (e.g., 'Amazon Elastic Compute Cloud - Compute')." } } } }, { name: "get_cost_forecast", description: "Predicts future costs for a specified time range.", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date (YYYY-MM-DD)." }, end_date: { type: "string", description: "End date (YYYY-MM-DD)." }, granularity: { type: "string", enum: ["DAILY", "MONTHLY", "HOURLY"], description: "Granularity (default: DAILY)." }, prediction_interval_level: { type: "number", description: "Prediction interval confidence (51-99, default: 80)." } }, required: ["start_date", "end_date"] } }, { name: "get_budget_details", description: "Lists all AWS Budgets along with their status, limits, and current spend.", inputSchema: { type: "object", properties: { account_id: { type: "string", description: "The AWS Account ID (required for Budgets)." } }, required: ["account_id"] } }, { name: "get_cost_anomalies", description: "Retrieves cost anomalies detected by AWS Cost Anomaly Detection.", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date (YYYY-MM-DD)." }, end_date: { type: "string", description: "End date (YYYY-MM-DD)." } }, required: ["start_date", "end_date"] } }, { name: "get_savings_plans_utilization", description: "Retrieves Savings Plans utilization percentages.", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date (YYYY-MM-DD)." }, end_date: { type: "string", description: "End date (YYYY-MM-DD)." } }, required: ["start_date", "end_date"] } }, { name: "get_reservation_utilization", description: "Retrieves Reserved Instance (RI) utilization percentages.", inputSchema: { type: "object", properties: { start_date: { type: "string", description: "Start date (YYYY-MM-DD)." }, end_date: { type: "string", description: "End date (YYYY-MM-DD)." } }, required: ["start_date", "end_date"] } }, { name: "get_instance_details", description: "Retrieves detailed information about a specific EC2 instance.", inputSchema: { type: "object", properties: { instance_id: { type: "string", description: "The ID of the EC2 instance." } }, required: ["instance_id"] } }, { name: "list_vpcs", description: "Lists all VPCs in the current region.", inputSchema: { type: "object", properties: {} } }, { name: "list_subnets", description: "Lists subnets with availability zones and available IP counts.", inputSchema: { type: "object", properties: { vpc_id: { type: "string", description: "Optional: Filter by VPC ID." } } } }, { name: "list_route_tables", description: "Lists route tables with their routes and associations.", inputSchema: { type: "object", properties: { vpc_id: { type: "string", description: "Optional: Filter by VPC ID." } } } }, { name: "list_internet_gateways", description: "Lists Internet Gateways and their attachments.", inputSchema: { type: "object", properties: {} } }, { name: "list_nat_gateways", description: "Lists NAT Gateways with their state and public IP.", inputSchema: { type: "object", properties: { vpc_id: { type: "string", description: "Optional: Filter by VPC ID." } } } }, { name: "list_security_groups", description: "Lists all security groups.", inputSchema: { type: "object", properties: { vpc_id: { type: "string", description: "Optional: Filter by VPC ID." } } } }, { name: "list_users_without_mfa", description: "Lists IAM users who do not have MFA enabled.", inputSchema: { type: "object", properties: {} } }, { name: "list_old_access_keys", description: "Lists access keys older than 90 days (or specified days).", inputSchema: { type: "object", properties: { days: { type: "number", description: "Number of days threshold (default: 90)." } } } }, { name: "list_expiring_certificates", description: "Lists ACM certificates expiring within the specified days.", inputSchema: { type: "object", properties: { days: { type: "number", description: "Number of days threshold (default: 30)." } } } }, { name: "list_rds_instances", description: "Lists RDS instances with engine versions and status.", inputSchema: { type: "object", properties: {} } }, { name: "list_lambda_functions", description: "Lists Lambda functions with runtimes and last modified dates.", inputSchema: { type: "object", properties: {} } }, { name: "list_backup_jobs", description: "Lists recent backup jobs, optionally filtering by state (default: FAILED).", inputSchema: { type: "object", properties: { state: { type: "string", description: "Filter by job state (e.g., COMPLETED, FAILED, RUNNING). Default: FAILED." }, hours: { type: "number", description: "Look back window in hours (default: 24)." } } } }, { name: "list_open_security_groups", description: "Lists security groups that allow ingress from 0.0.0.0/0 on specified ports (default: 22, 3389).", inputSchema: { type: "object", properties: { ports: { type: "array", items: { type: "number" }, description: "List of ports to check (default: [22, 3389])." } } } }, { name: "list_unused_ebs_volumes", description: "Lists EBS volumes that are available (not attached to any instance).", inputSchema: { type: "object", properties: {} } }, { name: "list_unassociated_eips", description: "Lists Elastic IPs that are not associated with any instance.", inputSchema: { type: "object", properties: {} } }, { name: "list_guardduty_findings", description: "Lists recent high-severity GuardDuty findings.", inputSchema: { type: "object", properties: { severity: { type: "number", description: "Minimum severity level (default: 4)." }, limit: { type: "number", description: "Number of findings to return (default: 10)." } } } }, { name: "get_recent_logs", description: "Retrieves recent log events from a CloudWatch Log Group.", inputSchema: { type: "object", properties: { log_group_name: { type: "string", description: "Name of the Log Group." }, limit: { type: "number", description: "Number of log events to return (default: 20)." } }, required: ["log_group_name"] } }, { name: "search_cloudwatch_logs", description: "Search CloudWatch logs using a filter pattern (e.g., 'ERROR', 'Exception').", inputSchema: { type: "object", properties: { log_group_name: { type: "string", description: "Name of the Log Group." }, filter_pattern: { type: "string", description: "The filter pattern to use (e.g., 'ERROR', '{ $.latency > 100 }')." }, limit: { type: "number", description: "Number of events to return (default: 50)." }, hours: { type: "number", description: "Time window in hours (default: 24)." }, start_time: { type: "string" }, end_time: { type: "string" } }, required: ["log_group_name", "filter_pattern"] } }, { name: "list_cloudtrail_changes", description: "Lists write/mutation events (Create, Update, Delete) for a specific resource or service.", inputSchema: { type: "object", properties: { resource_id: { type: "string", description: "Optional: The Resource ID or Name (e.g., sg-12345, my-bucket)." }, lookup_key: { type: "string", enum: ["ResourceName", "ResourceType", "EventName", "Username"], description: "The attribute to lookup by (default: ResourceName if resource_id provided)." }, lookup_value: { type: "string", description: "The value for the lookup key (required if resource_id is omitted)." }, days: { type: "number", description: "Lookback period in days (default: 7)." } } } }, { name: "list_access_denied_events", description: "Lists recent Access Denied or Unauthorized events from CloudTrail.", inputSchema: { type: "object", properties: { limit: { type: "number", description: "Number of events to return (default: 20)." } } } }, { name: "get_service_health", description: "Lists recent open events from AWS Health Dashboard.", inputSchema: { type: "object", properties: {} } }, { name: "list_load_balancers", description: "Lists all Application and Network Load Balancers.", inputSchema: { type: "object", properties: {} } }, { name: "list_target_groups", description: "Lists all Target Groups.", inputSchema: { type: "object", properties: { load_balancer_arn: { type: "string", description: "Optional: Filter by Load Balancer ARN." } } } }, { name: "list_listener_rules", description: "Lists listeners and routing rules (host, path) for a specified Load Balancer.", inputSchema: { type: "object", properties: { load_balancer_arn: { type: "string", description: "The ARN of the Load Balancer." } }, required: ["load_balancer_arn"] } }, { name: "get_target_health", description: "Retrieves the health of targets in a specified Target Group.", inputSchema: { type: "object", properties: { target_group_arn: { type: "string", description: "The ARN of the Target Group." } }, required: ["target_group_arn"] } }, { name: "list_web_acls", description: "Lists Web ACLs (Global/CloudFront or Regional).", inputSchema: { type: "object", properties: { scope: { type: "string", enum: ["CLOUDFRONT", "REGIONAL"], description: "The scope of the Web ACLs (default: REGIONAL)." } } } }, { name: "get_waf_sampled_requests", description: "Retrieves sampled requests from a Web ACL.", inputSchema: { type: "object", properties: { web_acl_arn: { type: "string", description: "The ARN of the Web ACL." }, rule_metric_name: { type: "string", description: "The metric name of the rule to sample." }, scope: { type: "string", enum: ["CLOUDFRONT", "REGIONAL"], description: "The scope (default: REGIONAL)." }, time_window_seconds: { type: "number", description: "Time window in seconds (e.g., 3600 for 1 hour)." } }, required: ["web_acl_arn", "rule_metric_name"] } }, { name: "check_ip_in_waf", description: "Checks if an IP address exists in any WAF IP Set (Blocklists/Allowlists).", inputSchema: { type: "object", properties: { ip_address: { type: "string", description: "The IP address to check (e.g., 192.168.1.1)." } }, required: ["ip_address"] } }, { name: "get_metric_statistics", description: "Retrieves statistics for a specific CloudWatch metric.", inputSchema: { type: "object", properties: { namespace: { type: "string", description: "The namespace of the metric (e.g., AWS/EC2)." }, metric_name: { type: "string", description: "The name of the metric (e.g., CPUUtilization)." }, dimensions: { type: "array", items: { type: "object", properties: { Name: { type: "string" }, Value: { type: "string" } } }, description: "Array of dimensions (e.g., [{Name: 'InstanceId', Value: 'i-xxx'}])." }, start_time: { type: "string", description: "Start time (ISO string)." }, end_time: { type: "string", description: "End time (ISO string)." }, period: { type: "number", description: "Granularity in seconds (default: 300)." }, statistics: { type: "array", items: { type: "string" }, description: "Statistics to retrieve (e.g., ['Average', 'Maximum'])." } }, required: ["namespace", "metric_name"] } }, { name: "list_sns_topics", description: "Lists all SNS topics.", inputSchema: { type: "object", properties: {} } }, { name: "list_record_sets", description: "Lists DNS records for a given hosted zone.", inputSchema: { type: "object", properties: { hosted_zone_id: { type: "string", description: "The ID of the Hosted Zone." } }, required: ["hosted_zone_id"] } }, { name: "list_hosted_zones", description: "Lists all Route53 Hosted Zones.", inputSchema: { type: "object", properties: {} } }, { name: "list_ecs_clusters", description: "Lists ECS clusters with their status and running task counts.", inputSchema: { "type": "object", "properties": {} } }, { name: "list_ecs_services", description: "Lists services in a specific ECS cluster.", inputSchema: { type: "object", properties: { cluster: { "type": "string", "description": "The name or ARN of the ECS cluster." } }, required: ["cluster"] } }, { name: "list_eks_clusters", description: "Lists EKS clusters in the current region.", inputSchema: { "type": "object", "properties": {} } }, { name: "list_auto_scaling_groups", description: "Lists Auto Scaling Groups with their capacity settings.", inputSchema: { "type": "object", "properties": {} } }, { name: "list_scaling_activities", description: "Describes recent scaling activities for an Auto Scaling Group.", inputSchema: { type: "object", properties: { auto_scaling_group_name: { "type": "string", "description": "The name of the Auto Scaling Group." } }, required: ["auto_scaling_group_name"] } }, { name: "list_cloudfront_distributions", description: "Lists CloudFront distributions with their domain names and status.", inputSchema: { "type": "object", "properties": {} } }, { name: "list_secrets", description: "Lists Secrets Manager secrets (names only).", inputSchema: { "type": "object", "properties": {} } }, { name: "list_ssm_parameters", description: "Lists SSM Parameters (names only).", inputSchema: { "type": "object", "properties": {} } }, { name: "list_cloudformation_stacks", description: "Lists CloudFormation stacks and their status.", inputSchema: { "type": "object", "properties": {} } }, { name: "list_dynamodb_tables", description: "Lists DynamoDB tables.", inputSchema: { "type": "object", "properties": {} } }, { name: "list_trusted_advisor_checks", description: "Lists Trusted Advisor checks available.", inputSchema: { "type": "object", "properties": {} } } ] }; }); - src/index.ts:60-60 (helper)Initialization of the CloudWatchLogsClient used by the tool handler.
const cloudWatchLogsClient = new CloudWatchLogsClient({}); - src/index.ts:26-26 (helper)Import of CloudWatchLogsClient and FilterLogEventsCommand used in the tool implementation.
import { CloudWatchLogsClient, GetLogEventsCommand, DescribeLogStreamsCommand, FilterLogEventsCommand } from "@aws-sdk/client-cloudwatch-logs";