AWS Security ChangesHomeSearch

AWS AmazonCloudWatch documentation change

Service: AmazonCloudWatch · 2025-10-16 · Documentation low

File: AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.md

Summary

Restructured documentation with removed detailed regex syntax sections, added practical use case examples, and reorganized content with links to dedicated pages

Security assessment

Added examples like monitoring 'UpdateTrail' events and HTTP error codes demonstrate security monitoring use cases, but there's no evidence of addressing specific vulnerabilities. Changes focus on improving documentation structure and practical guidance rather than patching security issues.

Diff

diff --git a/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.md b/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.md
index 7147d80ac..8e389fe65 100644
--- a//AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.md
+++ b//AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.md
@@ -5,2 +4,0 @@
-Supported regular expressionsMatch terms using regular expressionsMatch terms in unstructured log eventsMatch terms in JSON log eventsMatch terms in space-delimited log events
-
@@ -9,6 +6,0 @@ Supported regular expressionsMatch terms using regular expressionsMatch terms in
-###### Note
-
-For information about how to query your log groups with the Amazon CloudWatch Logs Insights query language, see [CloudWatch Logs Insights language query syntax](./CWL_QuerySyntax.html).
-
-With CloudWatch Logs, you can use [metric filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/MonitoringLogData.html) to transform log data into actionable metrics, [subscription filters](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html) to route log events to other AWS services, [filter log events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SearchDataFilterPattern.html) to search for log events, and [Live Tail](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs_LiveTail.html) to interactively view your logs in real-time as they are ingested.
-
@@ -19,656 +11 @@ Create filter patterns with the terms that you want to match. Filter patterns on
-###### Topics
-
-  * Supported regular expressions (regex) syntax
-
-  * Using filter patterns to match terms with a regular expression (regex)
-
-  * Using filter patterns to match terms in unstructured log events
-
-  * Using filter patterns to match terms in JSON log events
-
-  * Using filter patterns to match terms in space-delimited log events
-
-
-
-
-## Supported regular expressions (regex) syntax
-
-When using regex to search and filter log data, you must surround your expressions with `%`.
-
-Filter patterns with regex can only include the following:
-
-  * Alphanumeric characters – An alphanumeric character is a character that is either a letter (from A to Z or a to z) or a digit (from 0 to 9).
-
-  * Supported symbol characters – These include: '`:`', '`_`', '`#`', '`=`', '`@`','`/`', '`;`', '`,`', and '`-`'. For example, `%something!%` would be rejected since '`!`' is not supported.
-
-  * Supported operators – These include: '`^`', '`$`', '`?`', '`[`', '`]`', '`{`', '`}`', '`|`', '`\`', '`*`', '`+`', and '`.`'.
-
-
-
-
-The `(` and `)` operators are not supported. You cannot use parentheses to define a subpattern.
-
-Multi-byte characters are not supported.
-
-###### Note
-
-**Quotas**
-
-There is a maximum of 5 filter patterns containing regex for each log group when creating metric filters or subscription filters.
-
-There is a limit of 2 regex for each filter pattern when creating a delimited or JSON filter pattern for metric filters and subscription filters or when filtering log events or Live Tail.
-
-**Usage of supported operators**
-
-  * `^`: Anchors the match to the beginning of a string. For example, `%^[hc]at%` matches "hat" and "cat", but only at the beginning of a string.
-
-  * `$`: Anchors the match to the end of a string. For example, `%[hc]at$%` matches "hat" and "cat", but only at the end of a string.
-
-  * `?`: Matches zero or one occurrence of the preceding term. For example, `%colou?r%` can match both "color" and "colour".
-
-  * `[]`: Defines a character class. Matches the character list or character range contained within the brackets. For example, `%[abc]%` matches "a", "b", or "c"; `%[a-z]%` matches any lowercase letter from "a" to "z"; and `%[abcx-z]%`matches "a", "b", "c", "x", "y", or "z".
-
-  * `{m, n}`: Matches the preceding term at least _m_ and not more than _n_ times. For example, `%a{3,5}% ` matches only "aaa", "aaaa", and "aaaaa".
-
-###### Note
-
-Either _m_ or _n_ can be omitted if you chose not to define a minimum or maximum.
-
-  * `|`: Boolean "Or", which matches the term on either side of the vertical bar. For example:
-
-    * `%gra|ey%` can match "gray" or "grey"
-
-    * `%^starting|^initializing|^shutting down%` can match match "starting ...", or "initializing ...", or "shutting down", but won't match "skipping initializing ..."
-
-    * `%abcc|ab[^c]$` can match match "abcc ..." and "aba ..." but won't match "aac ..."
-
-  * `\`: Escape character, which allows you to use the literal meaning of an operator instead of its special meaning. For example, `%\[.\]%` matches any single character surrounded by "[" and "]" since the brackets are escaped, such as "[a]", "[b]", "[7]", "[@]", "[]]", and "[ ]".
-
-###### Note
-
-` %10\.10\.0\.1%` is the correct way to create a regex to match the IP address 10.10.0.1.
-
-  * `*`: Matches zero or more instances of the preceding term. For example, ` %ab*c% ` can match "ac", "abc", and "abbbc"; `%ab[0-9]*%` can match "ab", "ab0", and "ab129".
-
-  * `+`: Matches one or more instances of the preceding term. For example, `%ab+c%` can match "abc", "abbc", and "abbbc", but not "ac". 
-
-  * `.`: Matches any single character. For example, `%.at%` matches any three character string ending with "at", including "hat", "cat", "bat", "4at", "#at" and " at" (starting with a space).
-
-###### Note
-
-When creating a regex to match IP addresses, it is important to escape the `.` operator. For example, `%10.10.0.1%` can match "10010,051" which might not be the actual intended purpose of the expression.
-
-  * `\d`, `\D`: Matches a digit/non-digit character. For example, `%\d%` is equivalent to `%[0-9]%` and `%\D%` is equivalent to `%[^0-9]%`.
-
-###### Note
-
-The uppercase operator denotes the inverse of its lowercase counterpart.
-
-  * `\s`, `\S`: Matches a whitespace character/non-whitespace character.
-
-###### Note
-
-The uppercase operator denotes the inverse of its lowercase counterpart. Whitespace characters include the tab (`\t`), space(` `), and newline (`\n`) characters.
-
-  * `\w`, `\W`: Matches an alphanumeric character/non-alphanumeric character. For example, `%\w%` is equivalent to `%[a-zA-Z_0-9]%` and `%\W%` is equivalent to `%[^a-zA-Z_0-9]%`.
-
-###### Note
-
-The uppercase operator denotes the inverse of its lowercase counterpart.
-
-  * `\xhh`: Matches the ASCII mapping for a two-digit hexadecimal character. `\x` is the escape sequence which indicates that the following characters represent the hexadecimal value for ASCII. `hh` specifies the two hexadecimal digits (0-9 and A-F) which point to a character in the ASCII table.
-
-###### Note
-
-You can use `\xhh` to match symbol characters that are not supported by the filter pattern. For example, `%\x3A%` matches `:`; and `%\x28%` matches `(`.
-
-
-
-
-## Using filter patterns to match terms with a regular expression (regex)
-
-You can match terms in your log events using a regex pattern surrounded with `%` (percentage signs before and after the regex pattern). The following code snippet shows an example of a filter pattern that returns all log events consisting of the **AUTHORIZED** keyword.
-
-For a list of supported regular expressions, see [Supported regular expressions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html#regex-expressions).
-    
-    
-      %AUTHORIZED%
-                
-
-This filter pattern returns log event messages, such as the following:
-
-  * `[ERROR 401] UNAUTHORIZED REQUEST`
-
-  * `[SUCCESS 200] AUTHORIZED REQUEST`
-
-
-
-
-## Using filter patterns to match terms in unstructured log events
-
-The following examples contain code snippets that show how you can use filter patterns to match terms in unstructured log events.
-
-###### Note
-
-Filter patterns are case sensitive. Enclose exact phrases and terms that include non-alphanumeric characters in double quotation marks (**""**).
-
-Example: Match a single term
-    
-
-The following code snippet shows an example of a single-term filter pattern that returns all log events where messages contain the word **_ERROR_**.
-    
-    
-    ERROR
-                                
-
-This filter pattern matches log event messages, such as the following:
-
-  * `[ERROR 400] BAD REQUEST`
-
-  * `[ERROR 401] UNAUTHORIZED REQUEST`
-
-  * `[ERROR 419] MISSING ARGUMENTS`
-
-  * `[ERROR 420] INVALID ARGUMENTS`
-
-
-
-
-Example: Match multiple terms
-    
-
-The following code snippet shows an example of a multiple-term filter pattern that returns all log events where messages contain the words **_ERROR_** and **_ARGUMENTS_**.
-    
-    
-    ERROR ARGUMENTS
-                                
-
-The filter returns log event messages, such as the following:
-
-  * `[ERROR 419] MISSING ARGUMENTS`
-
-  * `[ERROR 420] INVALID ARGUMENTS`
-
-
-
-
-This filter pattern doesn't return the following log event messages because they don't contain both of the terms specified in the filter pattern.
-
-  * `[ERROR 400] BAD REQUEST`
-
-  * `[ERROR 401] UNAUTHORIZED REQUEST`
-
-
-
-