Log streaming: Amazon Kinesis Data Streams

Fastly's Real-Time Log Streaming feature can send log files to Amazon Kinesis Data Streams. Amazon Kinesis Data Streams (KDS) is a real-time data streaming service that can continuously capture data from a variety of sources.

How Amazon Kinesis Data Streams work with Fastly log streaming

Amazon KDS sends data records to a stream. Each stream comprises one or more shards. A shard represents a fixed amount of processing capacity and the total processing capacity of a stream is determined by the number of shards. The number of shards may be increased or decreased over the lifetime of a stream. This is important because the Fastly Kinesis logging endpoint monitors the number of shards and attempts to uniformly distribute the log data records across the available shards. When the number of shards for a stream changes, the Fastly Kinesis logging endpoint automatically adjusts in response. The goal is to make the best use of the throughput capability of the stream while minimizing the configuration overhead required for our customers.

If the log volume exceeds the throughput capacity of the stream, Amazon KDS will return errors and these will be visible in the Fastly logging endpoint logs as output that begins with Failed to put record onto stream. The Fastly logging endpoint will attempt a limited number of retries when these errors occur, but if they occur on a regular basis it is likely an indication that the total stream throughput is insufficient for the log volume and the number of shards should be increased.


Before adding Amazon KDS as a logging endpoint for Fastly services, we recommend creating Identity and Access Management (IAM) credentials in your AWS account specifically for Fastly. Our recommended way for doing this is by creating an AWS IAM role, which lets you grant temporary credentials. For more information, see Creating an AWS IAM Role for Fastly Logging. Alternatively, create an IAM user and grant the user kinesis:PutRecords and kinesis:ListShards permissions for the logging stream. For more information, see Amazon's guidance on understanding and getting your AWS credentials.

Adding Amazon Kinesis as a logging endpoint

After you've registered for an AWS account and created an IAM user in Amazon Kinesis, follow these instructions to add Amazon KDS as a logging endpoint:

  1. Review the information in our Setting Up Remote Log Streaming guide.
  2. Click the Amazon Kinesis Data Streams Create endpoint button. The Create an Amazon Kinesis Data Streams endpoint page appears.

    the create an Amazon Kinesis Data Streams endpoint page

  3. Fill out the Create an Amazon Kinesis Data Streams endpoint fields as follows:
    • In the Name field, enter a human-readable name for the endpoint.
    • In the Placement area, select where the logging call should be placed in the generated VCL. Valid values are Format Version Default, waf_debug (waf_debug_log), and None. See our guide on changing log placement for more information.
    • In the Log format field, optionally enter an Apache-style string or VCL variables to use for log formatting. Our discussion of format strings provides more information.
    • In the Access method field, select either User Credentials or IAM Role.
    • If you select User Credentials, enter the access key and secret key associated with the IAM user you created in your AWS account specifically for Fastly. See Amazon's documentation on security credentials for more information.
    • If you select IAM Role, enter the Amazon Resource Name (ARN) for the IAM role granting Fastly access to KDS. For more information, see Creating an AWS IAM Role for Fastly Logging.
    • In the Period field, optionally enter an interval (in seconds) to control how frequently your log files are rotated. This value defaults to 3600 seconds.
    • In the Stream name field, enter the name of the Kinesis stream to which log data will be sent.
    • From the Region menu, select the region to stream logs to. This must match the region where you created your Kinesis stream.
  4. Click the Create button to create the new logging endpoint.
  5. Click the Activate button to deploy your configuration changes.
Back to Top