Win a custom New Relic pinball machine! Just refer fellow Data Nerds to register for FutureStack. Register Now

Ingest AWS Lambda Logs Directly to Reduce Cloud Spend

3 min read

The fees for sending AWS Lambda function logs to Amazon CloudWatch can add up quickly after you’ve exceeded the limits of their free tier, especially for frequently invoked functions that produce even relatively moderate quantities of log data. You could use New Relic for log analysis, but until recently our solution relied on Amazon CloudWatch to ingest Lambda logs and then forward them to New Relic.

With the AWS Lambda Extensions Logs API, Lambda Extensions now have direct access to the log stream, independent from CloudWatch. And you can take advantage of the newest version of the New Relic Lambda extension to send function logs, in addition to telemetry data, directly to New Relic One to gain unified visibility into your Lambda functions. (Lambda extensions are a new way for observability and other tools to easily integrate with AWS Lambda.)

How does an engineer benefit? You can manage and optimize your cloud spend without compromising observability by sending Lambda function logs directly to New Relic One’s Telemetry Data Platform. In this post, I’ll explain how to configure this, and in my next post we’ll dig deeper into what you can do with New Relic’s Lambda extension, and how it helps you use New Relic One to better understand the behavior and performance of serverless applications hosted in AWS Lambda.

How to configure ingest of Lambda function logs

Configuring this for your functions that already use the extension to send telemetry data is straightforward. You simply change one environment variable and remove the CloudWatch subscription filter. Here’s an example of what that looks like in AWS CloudFormation, using our Go example function:

Resources:

  NewRelicExample:

    Type: AWS::Serverless::Function

    Properties:

      CodeUri:

        Bucket: !Sub newrelic-example-${AWS::Region}-${NRAccountId}

        Key: go-example.zip

      Description: A simple Lambda, with New Relic telemetry

      FunctionName: newrelic-example-go

      Handler: handler

      Runtime: provided

      Environment:

        Variables:

          NEW_RELIC_ACCOUNT_ID: !Sub ${NRAccountId}

          NEW_RELIC_TRUSTED_ACCOUNT_KEY: !Sub ${NRAccountId}

          # Enable the new logging functionality

          NEW_RELIC_EXTENSION_SEND_FUNCTION_LOGS: true

      Layers:

        # This layer includes the New Relic Lambda Extension, a sidecar process that sends telemetry

        - !Sub 

arn:${AWS::Partition}:lambda:${AWS::Region}:451483290750:layer:NewRelicLambdaExtension:5

      # The section below disables CloudWatch entirely, and is optional.

      Role: !GetAtt FunctionRole.Arn

  FunctionRole:

    Type: AWS::IAM::Role

    Properties:

      AssumeRolePolicyDocument:

        Version: "2012-10-17"

        Statement:

          - Effect: Allow

            Principal:

              Service: "lambda.amazonaws.com"

            Action: sts:AssumeRole

      ManagedPolicyArns:

        - !ImportValue 

NewRelicLicenseKeySecret-NewRelic-ViewLicenseKeyPolicyARN

In the above example, we set the value to true for using the NEW_RELIC_EXTENSION_SEND_FUNCTION_LOGS environment variable to send function logs. This is all that is necessary to turn on the functionality. Be sure, however, to turn off the subscription filter for your function as well using our CLI tool. If you forget this step, your logs will be sent to New Relic twice, which could be confusing.

newrelic-lambda subscriptions uninstall --function <name> --aws-region <region>

The section at the bottom of the above template regarding the function’s execution role removes the default CloudWatch permissions. This prevents the function from logging to CloudWatch, which eliminates CloudWatch ingest fees for that Lambda function. It’s best to test that your New Relic logging integration is working correctly before disabling CloudWatch, so you don't lose visibility into your function’s execution.

Because sending Lambda function logs directly to New Relic is configured on a per-function basis, you can easily transition from the old mechanism for log ingestion to the new one at your own pace, and reduce your cloud spend as you go.

Get full visibility into your Amazon Web Services environments with a free observability plan from New Relic on AWS Marketplace.