Using CloudFormation For CloudWatch Logs Integration

You can automate the entire setup using our CloudFormation template, which creates all required resources in a single deployment.

Prerequisites:

AWS CLI configured with appropriate permissions
groundcover 3rd party ingestion key - learn how to obtain your ingestion key
CloudWatch log groups
Your BYOC site name - to be used for your Firehose URL. You can find your BYOC endpoint in the ingestion keys tab

Deploy using AWS Console:

Option 1: Direct deployment (Recommended)

Launch the CloudFormation stack directly - This will open the AWS Console with the template pre-loaded.
Fill in parameters:
- GroundcoverApiToken (required): Your groundcover ingestion key
- EnvironmentName: Environment name in groundcover (default: production)
- LogGroupNames: Comma-separated list of log group names (e.g., /aws/lambda/func1,/aws/lambda/func2)
- GroundcoverEndpoint: groundcover Firehose endpoint URL (e.g., https://<your-byoc-site>/v1/firehose/logs)
Click Create stack

Option 2: Manual upload

Go to CloudFormation in AWS Console
Click Create Stack → With new resources (standard)
Choose Specify an Amazon S3 template URL and enter: https://groundcover-public-cloudformation-templates.s3.us-east-1.amazonaws.com/groundcover-firehose-multi.yaml
Fill in parameters:
- GroundcoverApiToken (required): Your groundcover ingestion key
- EnvironmentName: Environment name in groundcover (default: production)
- LogGroupNames: Comma-separated list of log group names (e.g., /aws/lambda/func1,/aws/lambda/func2)
- GroundcoverEndpoint: groundcover Firehose endpoint URL (e.g., https://<your-byoc-site>/v1/firehose/logs)
Under Capabilities, check I acknowledge that AWS CloudFormation might create IAM resources
Click Create stack

Deploy using AWS CLI:

Download the template and deploy:

aws cloudformation deploy \
    --template-file groundcover-firehose-multi.yaml \
    --stack-name groundcover-firehose-integration \
    --parameter-overrides \
        GroundcoverApiToken=YOUR_API_TOKEN \
        EnvironmentName=production \
        LogGroupNames="/aws/lambda/service1,/aws/lambda/service2,/aws/ec2/instance1" \
        GroundcoverEndpoint=https://[your-byoc-site]/v1/firehose/logs \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1

Or deploy directly using the template URL:

aws cloudformation create-stack \
    --stack-name groundcover-firehose-integration \
    --template-url https://groundcover-public-cloudformation-templates.s3.us-east-1.amazonaws.com/groundcover-firehose-multi.yaml \
    --parameters \
        ParameterKey=GroundcoverApiToken,ParameterValue=YOUR_API_TOKEN \
        ParameterKey=EnvironmentName,ParameterValue=production \
        ParameterKey=LogGroupNames,ParameterValue="/aws/lambda/service1,/aws/lambda/service2,/aws/ec2/instance1" \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1

What gets created:

Kinesis Data Firehose stream configured for groundcover
IAM roles for CloudWatch Logs, Firehose, and Lambda
S3 backup bucket for failed deliveries
Subscription filters for all specified log groups

Adding more log groups:

Update the stack with new log group names:

aws cloudformation update-stack \
    --stack-name groundcover-firehose-integration \
    --use-previous-template \
    --parameter-overrides \
        GroundcoverApiToken=UsePreviousValue \
        EnvironmentName=UsePreviousValue \
        LogGroupNames="/aws/lambda/service1,/aws/lambda/service2,/aws/lambda/service3" \
    --capabilities CAPABILITY_NAMED_IAM

Last updated 2 days ago