View CloudWatch logs
Access to CloudWatch
You must be on-boarded to GovWifi’s AWS account in order to access CloudWatch logs.
Please speak to the GovWifi reliability engineers or the delivery manager about this process.
Using gds-cli
This utility is being replaced with cod-cli (https://github.com/GovWifi/cod-cli).
The remainder of this section is retained until everyone has migrated to cod-cli
Logging in to CloudWatch
Log in to GovWifi AWS via the gds-cli or the AWS console.
You must be on the VPN to log in.
CLI login
Ensure gds-cli is configured on your laptop and your AWS credentials are set up. Note: it may be aliased to ‘gds’
Then run:
sh
$ gds aws govwifi -l
Using the AWS service search bar, navigate to the CloudWatch service section.
Console login
- Log in to the AWS console
- Navigate to CloudWatch
- Choose “Log groups” from the “Logs” sidebar. You can also use “Insights” which is a log aggregation tool in CloudWatch.
You can read more about the CloudWatch Insights query DSL here.
CloudWatch logs
CloudWatch contains unstructured system and application logs for GovWifi’s APIs and infrastructure components.
Since the service is region-based, make sure you’re reviewing logs for the correct region by selecting the relevant region from the AWS service bar.
Application log types
The application log group naming is inconsistent. It roughly uses the following convention:
```
--log-group
```
| Service/API | Environment | Log group |
|----------------|-------------|--------------------------------------------|
| FreeRADIUS | Staging | `frontend` |
| | Production | `frontend` |
| Admin | Staging | `staging-admin-log-group` |
| | Production | `wifi-admin-log-group` |
| Authentication | Staging | `staging-authentication-api-docker-log-group` |
| | Production | `wifi-authentication-api-docker-logs` |
| User Sign-up | Staging | `staging-user-signup-api-docker-log-group` |
| | Production | `wifi-user-signup-api-docker-log-group` |
| Logging | Staging | `staging-logging-api-docker-log-group` |
| | Production | `wifi-logging-api-docker-log-group` |
| Grafana | Staging | `staging-grafana-log-group` |
| | Production | `wifi-grafana-log-group` |
| Prometheus | Staging | `staging-prometheus-log-group` |
| | Production | `wifi-prometheus-log-group` |
**Note**:
- "Production" is referred to as "wifi" throughout the infrastructure. So `wifi-admin-log-group` refers to the Production Admin API log group.
- We have deprecated the <staging | wifi>-frontend-docker-log-group groups since moving the Frontend ECS clusters from EC2 instances to ECS Fargate.
### System log types
System logs for EC2 instances follow a separate pattern:
```
-/var/log/
```
| EC2 instance | Environment | Log group |
|----------------|-------------|--------------------------------------------|
| Bastion | Staging | `staging-bastion/var/log/*` |
| | Production | `wifi-bastion/var/log/*` |
| Frontend ECS cluster | Staging | `staging/var/log/*` |
| | Production | `wifi/var/log/*` |
**Note**: The Frontend ECS clusters run on Fargate and follow this naming pattern: `/aws/ecs/containerinsights/frontend-fargate/*`
This page was last reviewed on 7 August 2025.
It needs to be reviewed again on 7 February 2026
by the page owner
#govwifi
.
This page was set to be reviewed before 7 February 2026
by the page owner
#govwifi.
This might mean the content is out of date.