# Accessing your logs
To access your logs, ensure that you have one of the required IAM roles and are in your AMS account. Then navigate to the directory shown.
------
#### [ Multi-Account Landing Zone (MALZ) ]
Provides five default IAM roles, each of which allow access to all logs within your account (all are prefaced with `AWSManagedServices`):
+ `AdminRole`
+ `CaseRole`
+ `ChangeManagementRole`
+ `ReadOnlyRole`
+ `SecurityOpsRole`
Access to these roles is configured via federation, with each role being mapped to a group within your Active Directory domain.
To learn more about these roles, see [IAM user role in AMS](defaults-user-role.md).
------
#### [ Single-Account Landing Zone (SALZ) ]
The default `Customer_ReadOnly_Role` for AMS single-account landing zone allows your access to all logs within your account. Access to the logs is controlled using AWS Identity and Access Management (IAM) roles mapped to Active Directory groups.
------
# AMS aggregated service logs
Each AWS service logs to either CloudWatch Logs or a specific location in an Amazon S3 bucket.
**Note**
Unless specifically stated, all log locations are local to the account that generated the logs, and are not aggregated into the central Logging account.
To find the default AMS CloudTrail trail names in SALZ and MALZ accounts, go to the AWS Console for CloudTrail and then to the **Trails** page and search for AMS. Because AMS resources have tags, you can find the trails this way. Example AMS CloudTrail tag:
```
Environment AMSInfrastructure
```
To access your logs, ensure that you have one of the required IAM roles and are in your AMS account. Then navigate to the directory shown.
------
#### [ Multi-Account Landing Zone ]
**AMS multi-account landing zone Aggregated Service Logs**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/service-logs.html)
------
#### [ Single-Account Landing Zone ]
**AMS single-account landing zone Aggregated Service Logs**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/service-logs.html)
------
# AMS shared services logs
The following table describes the logs, and log location, for the AMS Shared Services in your account.
To access your logs, ensure that you have one of the required IAM roles and are in your AMS account. Then navigate to the directory shown.
**AMS single-account landing zone Shared Services Logging**
| | Shared service name | Log details | Log location |
| --- | --- | --- | --- |
| 1 | Bastion Hosts | Information regarding users accessing the bastion host. | **Linux Bastions**: CloudWatch Logs: /\$1instance id\$1/var/log/secure CloudWatch Logs: /\$1instance id\$1/var/log/audit/audit.log **Windows Bastions**: CloudWatch Logs: /\$1instance id\$1/SecurityEventLog |
| 2 | Management Hosts | Output of scripts, which assist in automated access management actions within the account. | CloudWatch Logs: /\$1instance id\$1/ApplicationEventLog |
| 4 | EPS Hosts (DSM) | Information regarding the enrollment of instances onto the Deep Security Management platform. | CloudWatch Logs: /\$1instance id\$1/var/log/DSM.log |
| 5 | Directory Services | Information regarding account login, account management, detailed tracking, object access, policy change, and privilege use within the account’s directory. You must explicitly enable Directory Services logging. For information, see [Enabling logging for supported services](log-customize-enable-service.md). | CloudWatch Logs: /aws/directoryservice/\$1directory id\$1-\$1directory dns name\$1 |
| 6 | Lambdas | Output of various lambdas, which assist in automated operational actions within the account. | CloudWatch Logs: /aws/lambda/\$1lambda name\$1 |
**AMS multi-account landing zone Shared Services Logging**
| | Shared service name | Log details | Log location |
| --- | --- | --- | --- |
| 1 | Bastions | Output of instance logins and authentication failures. | **Linux Bastions** CloudWatch Logs: /\$1*instance\$1ID*\$1/var/log/secure.log **Windows Bastions** CloudWatch Logs: /\$1*instance\$1ID*\$1/SecurityEventLog |
| 2 | Management Hosts | Output of scriptsy, which assist in automated access management actions within the account. | CloudWatch Logs: /\$1*instance\$1ID*\$1/ApplicationEventLog |
| 3 | EPS Hosts (DSM) | Information regarding the enrollment of instances onto the Deep Security Management platform. | CloudWatch Logs: /\$1*instance\$1ID*\$1/var/log/DSM.log |
| 4 | Directory Services | Information regarding account login, account management, detailed tracking, object access, policy change, and privilege use within the account’s directory. You must explicitly enable Directory Services logging. For information, see [Enabling logging for supported services](log-customize-enable-service.md). | CloudWatch Logs: /aws/directoryservice/\$1*directory\$1ID*\$1-\$1*directory\$1DNS\$1name*\$1 |
| 5 | Lambdas | Output of various lambdas, which assist in automated operational actions within the account. | CloudWatch Logs: /aws/lambda/\$1*Lambda\$1name*\$1 |
# Amazon Elastic Compute Cloud (Amazon EC2) - system level logs
Instance logs are collected by a CloudWatch Logs agent running on the instance and can be accessed through a CloudWatch Log group of the same name as the instance. For example, if the instance ID is i-0123456789abcdef0 and the log file name is /var/log/messages, the Log Group would be i-0123456789abcdef0 and the Log Stream /var/log/messages.
See also [AMS aggregated service logs](service-logs.md).
To access your logs, ensure that you have one of the required IAM roles and are in your AMS account. Then navigate to the directory shown.
**Note**
The following logs are collected by default.
**Amazon Linux / Red Hat Linux / Centos Linux / Ubuntu / SUSE Linux**
**Log file / Log stream**
```
/var/log/amazon/ssm/amazon-ssm-agent.log
/var/log/amazon/ssm/errors.log
/var/log/audit/audit.log
/var/log/cloud-init-output.log
/var/log/cfn-init.log
/var/log/cfn-init-cmd.log
/var/log/cloud-init.log (Amazon Linux 1 / Amazon Linux 2 only)
/var/log/cron
/var/log/dnf.log
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
/var/log/yum.log
/var/log/aws/ams/bootstrap.log
/var/log/aws/ams/build.log
/var/log/syslog
/var/log/dpkg.log
/var/log/auth.log
/var/log/zypper.log
```
**Note**
For information on accessing logs for Amazon Linux 2023, see [Why is the /var/log directory missing logs in my EC2 Amazon Linux 2023 instance?](https://repost.aws/knowledge-center/ec2-linux-al2023-find-log-files)
**Windows**
**Log file / Log stream**
```
SecurityEventLog
SystemEventLog
AmazonSSMAgentLog
MicrosoftWindowsAppLockerMSIAndScriptEventLog
MicrosoftWindowsAppLockerEXEAndDLLEventLog
AmazonCloudWatchAgentLog
EC2ConfigServiceEventLog (Windows Server 2012 R2 Only)
ApplicationEventLog
AmazonCloudFormationLog
MicrosoftWindowsGroupPolicyOperationalEventLog
AmazonSSMErrorLog
```
# Integrating with Splunk
AMS supports AWS Lambda-based push to customer log analytics services, such as Splunk.
AMS leverages the Splunk Add-on for Amazon Web services, which allows AWS data to be streamed to Splunk. See [Hardware and software requirements](http://docs.splunk.com/Documentation/AddOns/released/AWS/Hardwareandsoftwarerequirements).
Refer to this Splunk blog post [ How to stream AWS CloudWatch Logs to Splunk (Hint: it’s easier than you think)](https://www.splunk.com/blog/2017/02/03/how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html). Because CloudWatch log streaming is enabled by default for AMS customers, and AMS configures the AWS Lambda function for you, though you need to configure the Splunk HTTP Event Collector (HEC) input and submit a request to AMS for the added functionality.
Here’s how the data input settings might look:
![\[Splunk Add Data review page showing input settings for VPC Flow Logs via Lambda.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/configure-Splunk-HEC.png)