EKS Logging Architecture: CloudWatch vs OpenSearch

In the container world, logs are ephemeral. When a pod is deleted, its logs are deleted too. Therefore, collecting logs in a central place (Log Aggregation) is essential. On Amazon EKS, Fluent Bit agent is usually used for log management, and logs are sent to one of two main destinations: CloudWatch Logs or OpenSearch.

1. Amazon CloudWatch Logs

AWS's native logging service.

• Advantages:
  • Full Integration: Very simple to set up. Part of the AWS ecosystem.
  • Serverless: No server management. You send logs, AWS stores them.
  • Container Insights: Offers performance and log views specially prepared for EKS.
• Disadvantages:
  • Querying: CloudWatch Logs Insights query language is powerful but not as flexible and fast as OpenSearch.
  • Visualization: Dashboard capabilities are limited.

2. Amazon OpenSearch Service (Formerly ELK)

AWS managed version of Elasticsearch and Kibana.

• Advantages:
  • Powerful Analysis: You can perform in-depth search, filtering, and visualization on logs with the Kibana interface.
  • Speed: Returns results very quickly even on large data sets.
• Disadvantages:
  • Management: You need to manage an OpenSearch cluster (sizing, disk space, etc.).
  • Cost: Due to continuously running servers, it can be more expensive than CloudWatch for low log volumes.

Comparison and Recommendation

• If your log volume is low, you only look at logs in error cases, and you don't want management burden: CloudWatch Logs.
• If your log volume is high, you perform business intelligence (BI) or security analysis on logs, and your developers are used to using Kibana: Amazon OpenSearch.

In our AWS Consultancy projects, we usually recommend using Fluent Bit to send logs to OpenSearch, and backing them up to S3 for long-term archiving (for cost savings).