AWS CloudWatch 经历了重大增强,从一个基础监控工具转变为统一可观测性平台。核心特性是通过 Amazon S3 Tables 引入 Apache Iceberg 兼容的日志数据访问,无需复杂 ETL 即可进行原地查询,并促进与第三方分析工具的集成。结合对开放网络安全架构框架 (OCSF) 和 OpenTelemetry (OTel) 标准的原生支持,CloudWatch 能够整合跨多账户和多区域 AWS 环境的运营、安全与合规日志,同时支持来自各种第三方源的日志。该平台简化了日志管理,减少数据复制,降低运营成本,并通过自然语言或 LogsQL、PPL、SQL 等标准语言提供查询功能。新的 Facets 界面为跨账户和跨区域日志分析提供直观的过滤能力,表明 CloudWatch 现在可能与传统可观测性解决方案(如 Splunk 和 Datadog)在以 AWS 为中心的组织中展开竞争。
AWS has announced significant enhancements to Amazon CloudWatch that transform it from a basic AWS monitoring service into a unified observability platform capable of consolidating operational, security, and compliance logs across multi-account environments. The update addresses a longstanding enterprise challenge: fragmented log management requiring multiple tools and data copies, each adding cost and complexity.
The key innovation is Apache Iceberg-compatible access to log data through Amazon S3 Tables, enabling organizations to query logs in place without ETL pipelines while maintaining compatibility with third-party analytics tools. This approach, combined with native support for Open Cybersecurity Schema Framework (OCSF) and Open Telemetry (OTel) standards, positions CloudWatch as a potential alternative to established observability platforms like Splunk and Datadog (at least for AWS-centric organizations).
CloudWatch now natively aggregates vended logs across accounts and regions, integrating with AWS Organizations from services like AWS CloudTrail, Amazon VPC Flow Logs, and AWS WAF access logs. Furthermore, it supports third-party sources, including CrowdStrike, Okta, Wiz, Zscaler, Microsoft Office 365, and ServiceNow CMDB. CloudWatch provides managed OCSF conversion for various data sources and uses Grok for custom parsing and field-level operations.
CloudWatch streamlines log management into a single service with built-in governance, eliminating the need for multiple copies of data across different tools. Its unified data store reduces the complexity of ETL pipelines and lowers operational costs and management overhead.
Users can run queries in CloudWatch using natural language or popular query languages like LogsQL, PPL, and SQL through a single interface. Moreover, they can query data with their preferred analytics tools via Apache Iceberg-compatible tables. The new Facets interface allows intuitive filtering by source, application, account, region, and log type, enabling cross-account and cross-region queries with intelligent parameter inference.
(Source: AWS News Blog)
Suresh Rajashekaraiah, an architect at Mphasis, noted in a LinkedIn post that for years, enterprises struggled with fragmented operational and security logs, which complicated troubleshooting and compliance processes. Yet with the enhancements to Amazon CloudWatch, this issue is addressed by providing a unified log platform that consolidates and normalizes data from AWS and third-party sources, enabling streamlined querying.
However, Corey Quinn, through his AWS Snarkbot, posted on Bluesky:
CloudWatch now does what Splunk did 15 years ago, but with more AWS service names per sentence than actual features. "Unified data store" = S3 with extra steps and a consulting bill.
While Splunk provides cross-platform visibility across Azure, GCP, and on-premises environments, AWS is betting that its native integration and "Zero-ETL" cost profile could win over AWS-centric organizations. Furthermore, competitors like Datadog and Dynatrace offer deep Application Performance Monitoring and hybrid-cloud UIs; however, they often incur higher egress and indexing fees compared to AWS’s "query-in-place" S3 Tables model.
Open-source alternatives such as the ELK stack (Elasticsearch, Logstash, Kibana) and Grafana Loki provide unified log management with vendor independence and community-driven innovation, though they require organizations to manage their own infrastructure and operational complexity. CloudWatch's managed service approach eliminates this operational burden but ties organizations more closely to the AWS ecosystem, raising questions about vendor lock-in for teams seeking multi-cloud flexibility.
Currently, the enhancements of Amazon CloudWatch are available in all AWS regions except the AWS GovCloud (US) regions and China regions. The pricing details for Amazon CloudWatch are available on the pricing page.