Tail CloudWatch Logs Live with the AWS CLI
Use aws logs tail with --follow to stream a CloudWatch log group in real time. Filter, time-range, and color the output.
aws logs tail is the CloudWatch equivalent of tail -f. It streams a log group to your terminal as events arrive, with optional filtering and time ranges. This is the command that replaces SSHing into a server to watch logs — point it at any Lambda, ECS task, or app log group and you're done.
Tested on AWS CLI v2.17.
When to Use This
- Live-debugging a Lambda function during a deploy
- Watching ECS or Fargate tasks during a rollout
- Searching the last hour of logs for a specific error string
- Piping log output into another tool (grep, jq, less)
Don't use this when you need cross-log-group search (use CloudWatch Insights) or when you need persistent dashboards (use the console).
Code
# Live tail a log group
aws logs tail /aws/lambda/my-function --follow
# Last 1 hour of events
aws logs tail /aws/lambda/my-function --since 1h
# Last 10 minutes, filtered for ERROR
aws logs tail /aws/lambda/my-function --since 10m --filter-pattern ERROR
# Live tail with pretty colored output and timestamps
aws logs tail /aws/lambda/my-function --follow --format short
# Specific log streams (one Lambda invocation per stream)
aws logs tail /aws/lambda/my-function --follow \
--log-stream-names "2026/05/11/[\$LATEST]abc123"--since accepts relative durations (1h, 30m, 5d) or absolute ISO timestamps. --format short strips the noise and prints just timestamps and message lines, which is what I almost always want.
Usage
A debugging session for a misbehaving Lambda:
# 1) Watch the function live
aws logs tail /aws/lambda/order-processor --follow --format short --since 5m
# 2) In another terminal, trigger the function
aws lambda invoke --function-name order-processor --payload '{"id":"123"}' /tmp/out.json
# 3) Watch the logs stream in. Cmd+C to stop.A grep-pipeline pattern for finding errors:
aws logs tail /aws/ecs/my-service --since 1h \
| grep -i "error\|exception\|panic" \
| lessCaveats
--followkeeps the connection open until you Cmd+C. It does not auto-disconnect. For scripts, use--sincewithout--follow.- There's a small delay (~1-3 seconds) between event arrival and tail output. CloudWatch ingestion is not instant. Don't panic if your event doesn't appear immediately.
- Lambda log streams use
[$LATEST]in the name. That's a literal$LATEST, not a shell variable — escape it as\$LATESTin bash. - Filter patterns are case-sensitive.
ERRORmatchesERRORbut notErrororerror. To match all, pipe throughgrep -iinstead. - Quote your filter patterns.
--filter-pattern "GET /api/users 500"needs quotes because of the spaces. - The CLI charges no extra over the standard CloudWatch Logs API. No surprise bill from tailing.
Related Snippets & Reading
- Debug Which AWS Identity You're Using — when tail fails with access denied
- Invoke a Lambda and Read the Response(coming soon) — pair with tail for full debug loops
- aws logs tail reference — official docs
Frequently Asked Questions
What does aws logs tail do?
aws logs tail streams log events from a CloudWatch log group to your terminal in real time, similar to tail -f for files. With --follow it keeps the connection open and prints new events as they arrive. With --filter-pattern it only shows events matching the pattern.
Why use aws logs tail instead of the CloudWatch console?
It's faster, scriptable, and lives next to the rest of your shell tooling. You can pipe it to grep, jq, or your own scripts. The console is better for historical search across many log groups; tail is better for live debugging of one service.