AWS CloudWatch Integration for Humio

Humio’s CloudWatch integration sends your AWS CloudWatch Logs to Humio by using an AWS Lambda function to ship the data.

The integration is available from GitHub:

Quick Start

Use the Launch Stack buttons below to install in a region of your choice.

Use a globally unique stack name. The integration uses an S3 bucket and bucket names in S3 needs to be globally unique.

The integration uses a set of AWS Lambdas and you need to manually send a test event to the AutoSubscriber and CloudwatchBackfiller to enable them. You can send a test event using the Lambda part of the AWS Console.

For the AutoSubscriber lambda, configure your test event like the example below, and click Test

  "id": "cdc73f9d-aea9-11e3-9d5a-835b769c0d9c",
  "detail-type": "Scheduled Event",
  "source": "",
  "account": "{{{account-id}}}",
  "time": "1970-01-01T00:00:00Z",
  "region": "us-west-2",
  "resources": [
  "detail": { "requestParameters": {"logGroupName":"EXAMPLE"}}

For the CloudwatchBackfiller lambda, use the default test event and click Test.


US East (N. Virginia) - US East 1 Install cloudwatch2humio in US East 1
US East (Ohio) - US East 2 Install cloudwatch2humio in US East 2
US West (Oregon) - US West 2 Install cloudwatch2humio in US West 2
EU (Frankfurt) - EU Central 1 Install cloudwatch2humio in EU Central 1
EU (Ireland) - EU West 1 Install cloudwatch2humio in EU West 1
EU (London) - EU West 2 Install cloudwatch2humio in EU West 2

If your region is missing, contact us - mail - Slack

Launch parameters

Humio installs the integration using a CloudFormation template.

The template supports the following parameters:

  • HumioHost — The host you want to ship your Humio logs to.
  • HumioDataspaceName — The name of the repository in Humio that you want to ship logs to.
  • HumioAutoSubscription — Enable automatic subscription to new log groups.
  • HumioIngestToken — The value of your ingest token from your Humio account.
  • HumioSubscriptionBackfiller — This will check for missed or old log groups that existed before the Humio integration will install. This increases execution time of the lambda by about 1s. Defaults to true.
  • HumioProtocol — The transport protocol used for delivering log events to Humio. HTTPS is default and recommended, but HTTP is possible as well.
  • HumioSubscriptionPrefix — By adding this filter the Humio Ingester will only subscribe to log groups whose paths start with this prefix.

How this integration works

The integration will install three lambda functions, the AutoSubscriber,CloudwatchIngester and the CloudwatchBackfiller. The CloudFormation template will also set up CloudTrail and an S3 bucket for your account. We need this to trigger the Auto Subscription lambda to newly created log groups.


This lambda handles the delivery of your CloudWatch log events to Humio.


This lambda will auto subscribe the CloudwatchIngester every time a new log group is created. This is done by filtering CloudTrail events and triggering the AutoSubscriber lambda every time a new log group is created.


This will run if you have set HumioSubscriptionBackfiller to true when executing the CloudFormation template. This function will paginate through your existing CloudWatch log groups and subscribe the CloudwatchIngester to every single one.