omawslogshlc sends log messages to Amazon CloudWatch Logs using the
HTTP Log Collector (HLC) endpoint with bearer token authentication. It is a
user-contributed, experimental module with higher operational risk than
core-supported mature modules.
omawslogshlc: Amazon CloudWatch Logs HLC Output Module¶
Module Name: |
omawslogshlc |
Author: |
Amazon CloudWatch Logs team |
Status: |
user-contributed, experimental |
Available since: |
v8.2604 |
Warning
omawslogshlc is user-contributed and experimental. It has had less
production exposure and core-maintainer ownership than mature rsyslog
modules, so deployments should treat it as higher risk, test it carefully,
and expect possible feedback-driven behavior or configuration changes.
Purpose¶
This module provides native support for forwarding syslog messages to Amazon CloudWatch Logs. It uses the publicly available HLC (HTTP Log Collector) endpoint and bearer token authentication, eliminating the need for the AWS SDK or a separate log collection agent.
Each syslog message is wrapped in the HLC JSON event format and posted to the configured CloudWatch Logs log group and log stream.
Notable Features¶
Bearer token authentication (no AWS SDK dependency)
Automatic event batching with configurable batch size
JSON escaping of message content
Automatic inclusion of timestamp, hostname, and source metadata
User-Agent header identifying rsyslog version
Retry-friendly error handling for transient failures (429, 5xx)
Requirements¶
To use omawslogshlc, you need the following:
libcurlsupport at build timeAn AWS region where CloudWatch Logs is available
A CloudWatch Logs log group with bearer token authentication enabled
A bearer token generated for that log group (starts with
ACWL)A log stream within the log group
The module is built only when ./configure is invoked with
--enable-omawslogshlc.
For information on setting up bearer token authentication, see the AWS documentation.
Configuration Parameters¶
Note
Parameter names are case-insensitive.
Note
This module supports action parameters only.
Action Parameters¶
region¶
Type: |
string |
Required: |
yes |
The AWS region for the CloudWatch Logs endpoint (e.g., us-west-2,
eu-west-1). This is used to construct the HLC endpoint URL:
https://logs.<region>.amazonaws.com/services/collector/event
bearer_token¶
Type: |
string |
Required: |
yes |
The bearer token for HLC endpoint authentication. Tokens start with ACWL.
This value is sent in the Authorization: Bearer <token> header.
log_group¶
Type: |
string |
Required: |
yes |
The name of the CloudWatch Logs log group to send events to. The value is URL-encoded automatically.
log_stream¶
Type: |
string |
Required: |
yes |
The name of the CloudWatch Logs log stream within the log group. The value is URL-encoded automatically.
max_batch_size¶
Type: |
integer |
Default: |
100 |
Required: |
no |
Maximum number of events per HTTP request. When the batch reaches this count, it is flushed immediately. Valid range is 1 to 10000. AWS recommends 10–100 events per request for optimal performance.
template¶
Type: |
word |
Default: |
RSYSLOG_TraditionalFileFormat |
Required: |
no |
The rsyslog template used to render the message content. The rendered output
becomes the event field in the HLC JSON payload.
Batching Behavior¶
omawslogshlc accumulates events within a transaction and flushes them
when one of the following happens:
The event count reaches
max_batch_sizeThe rsyslog transaction ends (
endTransaction)The total batch size approaches the 1 MiB HLC request limit
Events are sent as concatenated JSON objects (no array wrapper), which is one of the accepted formats for the HLC endpoint.
Error Handling¶
The module handles HTTP errors as follows:
200–299: Success. Batch is cleared.
401/403: Authentication failure. The action is suspended for retry. Check that the bearer token is valid and not expired.
429: Rate limited. The action is suspended and retried according to rsyslog’s action retry settings.
5xx: Server error. The action is suspended for retry.
Other 4xx: Non-retryable. The batch is dropped and an error is logged.
Use rsyslog’s action.resumeInterval and action.resumeRetryCount to
control retry behavior.
Example¶
Forward all syslog messages to CloudWatch Logs:
module(load="omawslogshlc")
*.* action(
type="omawslogshlc"
region="us-west-2"
bearer_token="ACWL..."
log_group="my-application-logs"
log_stream="server-01"
)
Forward only auth logs with a larger batch size:
module(load="omawslogshlc")
auth,authpriv.* action(
type="omawslogshlc"
region="eu-west-1"
bearer_token="ACWL..."
log_group="security-logs"
log_stream="auth"
max_batch_size="50"
action.resumeInterval="5"
action.resumeRetryCount="10"
)
YAML configuration for the same target:
version: 2
modules:
- load: omawslogshlc
rulesets:
- name: main
filter: "*.*"
actions:
- type: omawslogshlc
region: us-west-2
bearer_token: ACWL...
log_group: my-application-logs
log_stream: server-01
max_batch_size: 50
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.