Tech Blog

How to Check Spring Boot App Logs Running on AWS ECS with CloudWatch Logs

by y104
AWS ECS CloudWatch Spring Boot

Introduction

When a Spring Boot app deployed to ECS isn’t working, checking the logs is the first step.
However, it’s surprisingly common to open the ECS console and not know where the logs are.

This article covers everything from setting up ECS + CloudWatch Logs to the actual commands for checking logs.

CloudWatch Logs Configuration

Log Configuration in Task Definition

Set the container’s log driver to awslogs in the ECS task definition.

Configuration with CDK

// cdk/lib/app-stack.ts
const logGroup = new logs.LogGroup(this, 'AppLogGroup', {
  logGroupName: '/dvd-rental/app',
  retention: logs.RetentionDays.ONE_WEEK,
  removalPolicy: cdk.RemovalPolicy.DESTROY,
});

const container = taskDefinition.addContainer('AppContainer', {
  image: ecs.ContainerImage.fromEcrRepository(ecrRepo, 'latest'),
  logging: ecs.LogDrivers.awsLogs({
    streamPrefix: 'dvd-rental',
    logGroup: logGroup,
  }),
});

Configuration in Task Definition JSON

{
  "logConfiguration": {
    "logDriver": "awslogs",
    "options": {
      "awslogs-group": "/dvd-rental/app",
      "awslogs-region": "ap-northeast-1",
      "awslogs-stream-prefix": "dvd-rental"
    }
  }
}

Granting Permissions to the IAM Role

The ECS Task Execution Role needs write permissions to CloudWatch Logs.

// CDK configuration
taskDefinition.addToExecutionRolePolicy(new iam.PolicyStatement({
  actions: [
    'logs:CreateLogGroup',
    'logs:CreateLogStream',
    'logs:PutLogEvents',
  ],
  resources: ['*'],
}));

The AmazonECSTaskExecutionRolePolicy managed policy already includes these permissions,
so attaching this policy to the task execution role is sufficient.

CloudWatch Logs Structure

After configuration, logs are stored in the following structure:

Log Group: /dvd-rental/app
  Log Stream: dvd-rental/AppContainer/{task-id}

A new log stream is created each time a task starts.

How to Check Logs

Checking via AWS Console

  1. CloudWatch → Log Groups → /dvd-rental/app
  2. Select the latest stream from the log streams list
  3. Use the filter box to search by keyword

Checking via AWS CLI

List Log Streams

aws logs describe-log-streams \
    --log-group-name "/dvd-rental/app" \
    --order-by LastEventTime \
    --descending \
    --max-items 5 \
    --region ap-northeast-1

Check Latest Logs

# Get the latest log stream name
STREAM=$(aws logs describe-log-streams \
    --log-group-name "/dvd-rental/app" \
    --order-by LastEventTime \
    --descending \
    --max-items 1 \
    --query "logStreams[0].logStreamName" \
    --output text \
    --region ap-northeast-1)

# Display logs (latest 30 entries)
aws logs get-log-events \
    --log-group-name "/dvd-rental/app" \
    --log-stream-name "$STREAM" \
    --limit 30 \
    --region ap-northeast-1 \
    --query "events[*].message" \
    --output text

Search by Keyword

# Search for logs containing "ERROR"
aws logs filter-log-events \
    --log-group-name "/dvd-rental/app" \
    --filter-pattern "ERROR" \
    --start-time $(date -d '1 hour ago' +%s000) \
    --region ap-northeast-1

# Check active profile
aws logs filter-log-events \
    --log-group-name "/dvd-rental/app" \
    --filter-pattern "profiles is active" \
    --region ap-northeast-1 \
    --query "events[*].message" \
    --output text

Post-Deployment Verification Procedure

After deploying to ECS, check the logs in the following order.

Step 1: Verify the Task Started

aws ecs describe-services \
    --cluster dvd-rental-cluster \
    --services dvd-rental-service \
    --region ap-northeast-1 \
    --query "services[0].{Running:runningCount,Desired:desiredCount,Status:status}"

If runningCount matches desiredCount, the task is running.

Step 2: Check Logs for the New Task

# Get the latest task ARN
TASK_ARN=$(aws ecs list-tasks \
    --cluster dvd-rental-cluster \
    --service-name dvd-rental-service \
    --desired-status RUNNING \
    --region ap-northeast-1 \
    --query "taskArns[0]" \
    --output text)

echo "Task ARN: $TASK_ARN"

Step 3: Verify Spring Boot Startup Logs

Key points to check:

# ✅ Check 1: Is the correct profile applied?
INFO  - The following 1 profile is active: "prod"

# ✅ Check 2: Is the DB connection successful?
INFO  - HikariPool-1 - Start completed.

# ✅ Check 3: Did Flyway migrations succeed?
INFO  - Successfully applied 4 migrations to schema "public"

# ✅ Check 4: Did the app finish starting?
INFO  - Started DvdRentalApplication in 8.234 seconds

Troubleshooting Cases

Container Stops Immediately

If the logs show an error like this:

ERROR - Failed to configure a DataSource: 'url' attribute is not specified

DB connection settings are not being passed correctly.
Check the environment variables and Secrets configuration in the ECS task definition.

No Logs Appear at All

The CloudWatch Logs log group may not exist, or the IAM role may not have write permissions.

# Check if the log group exists
aws logs describe-log-groups \
    --log-group-name-prefix "/dvd-rental" \
    --region ap-northeast-1

Summary

Log verification flow after ECS deployment:

  1. describe-services — Check task count (is running == desired?)
  2. CloudWatch Logs — Open the latest log stream
  3. Check Spring Boot startup logs for active profile, DB connection, Flyway
  4. If there are errors, use filter-log-events to search by keyword

“CloudFormation reaching COMPLETE ≠ deployment success.”
It’s important to make it a habit to verify the app is working by checking its logs as part of every deployment.

Article Map for This Series

Building an End-User DVD Rental App — Vue 3 + Spring Boot Paired with the Admin App, with Article Map
Building a DVD Rental Admin App with Spring Boot + Thymeleaf on top of the dvdrental Sample DB

Feel free to send a message

Please send a message if you have any technical questions, feedback, or inquiries.