Question 23
Domain 4: Monitoring and LoggingA company's application runs on Amazon EC2 instances. The application writes to a log file that records the username, date, time, and source IP address of the login. The log is published to a log group in Amazon CloudWatch Logs. The company is performing a root cause analysis for an event that occurred on the previous day. The company needs to know the number of logins for a specific user from the past 7 days. Which solution will provide this information?
Correct answer: C
Explanation
CloudWatch Logs Insights is designed to query log data and use aggregation functions such as "count" to summarize events. Running a query against the log group for the past 7 days can filter by the specific username and return the number of logins needed for root cause analysis.
Why each option is right or wrong
A. Create a CloudWatch Logs metric filter on the log group. Use a filter pattern that matches the username. Publish a CloudWatch metric that sums the number of logins over the past 7 days.
Metric filters create metrics from matching log events, but they are for predefined monitoring, not flexible historical investigation.
B. Create a CloudWatch Logs subscription on the log group. Use a filter pattern that matches the username. Publish a CloudWatch metric that sums the number of logins over the past 7 days.
Subscriptions stream log events to downstream processing; they do not directly answer a past 7-day count question.
C. Create a CloudWatch Logs Insights query that uses an aggregation function to count the number of logins for the username over the past 7 days. Run the query against the log group.
CloudWatch Logs Insights is the AWS-native feature for ad hoc analysis of log events in a log group, and its query language supports filtering on a field such as the username plus aggregation with `count()` to total matching login events. The query can be scoped to the last 7 days using the time range selector, which fits the requirement to analyze logins from the past week for a specific user in the published CloudWatch Logs group.
D. Create a CloudWatch dashboard. Add a number widget that has a filter pattern that counts the number of logins for the username over the past 7 days directly from the log group.
Dashboards visualize existing metrics or query results; they are not the primary mechanism for counting raw log events directly.