AWS
CloudWatch
log stream
troubleshooting
error handling

AWS Cloudwatch log stream name not recognised

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

If CloudWatch Logs says a log stream name is not recognized, the practical meaning is usually simple: the stream does not exist where your code is looking, or your request is pointing at the wrong log group, region, or account. The fix is to verify the resource path first, then permissions, then stream creation logic.

Understand the Resource Hierarchy

CloudWatch Logs has two levels that are easy to confuse:

  • log group
  • log stream inside that log group

A log stream name is only unique within its log group. A valid stream name in one group means nothing in another group. AWS also enforces naming rules for streams, including a length of 1 to 512 characters and disallowing : and *.

That means “not recognized” can be caused by a perfectly valid stream name being paired with the wrong log group.

The Most Common Failure Modes

The Stream Was Never Created

If you are writing directly with the SDK, the stream usually must exist before PutLogEvents can write to it.

python
1import boto3
2
3logs = boto3.client("logs", region_name="us-east-1")
4
5logs.create_log_group(logGroupName="app-logs")
6logs.create_log_stream(logGroupName="app-logs", logStreamName="worker-1")

If worker-1 was never created under app-logs, later write calls can fail with a not-found style error.

Wrong Region or Wrong Account

CloudWatch log groups are regional. A stream created in us-east-1 will not appear in us-west-2. This is one of the fastest ways to waste time, especially when credentials point to a different account than the console tab you are viewing.

Always print or log the effective region and account during setup if the environment is dynamic.

Wrong Log Group Name

Developers often reuse the correct stream name but send it with a typo in the log group name. Since the stream lookup is scoped to the group, AWS treats that as a missing resource.

A Safe Write Pattern

A defensive pattern is to ensure the group and stream exist before sending events.

python
1import time
2import boto3
3from botocore.exceptions import ClientError
4
5logs = boto3.client("logs", region_name="us-east-1")
6
7
8def ensure_log_stream(group, stream):
9    try:
10        logs.create_log_group(logGroupName=group)
11    except ClientError as exc:
12        if exc.response["Error"]["Code"] != "ResourceAlreadyExistsException":
13            raise
14
15    try:
16        logs.create_log_stream(logGroupName=group, logStreamName=stream)
17    except ClientError as exc:
18        if exc.response["Error"]["Code"] != "ResourceAlreadyExistsException":
19            raise
20
21
22def put_message(group, stream, message):
23    ensure_log_stream(group, stream)
24    logs.put_log_events(
25        logGroupName=group,
26        logStreamName=stream,
27        logEvents=[{"timestamp": int(time.time() * 1000), "message": message}],
28    )
29
30
31put_message("app-logs", "worker-1", "service started")

This removes guesswork and turns hidden provisioning assumptions into explicit code.

Check Permissions Separately

A missing permission can look similar to a missing resource when debugging from application logs alone. The writing principal usually needs permissions such as:

  • 'logs:CreateLogGroup'
  • 'logs:CreateLogStream'
  • 'logs:PutLogEvents'
  • 'logs:DescribeLogStreams'

If IAM policies scope access to a log group ARN, make sure the stream access pattern is covered as well.

Verify the Resource Exists Before Blaming the SDK

Use the CLI to list streams directly in the target group.

bash
aws logs describe-log-streams \
  --region us-east-1 \
  --log-group-name app-logs

If the stream is not in the response, the issue is configuration or provisioning, not the client library.

Common Pitfalls

The most common mistake is checking the stream name in the console but not checking the region and account. Resource mismatches across environments are more common than broken SDK calls.

Another mistake is assuming the application auto-creates streams when the code path never actually does so. If stream creation is required, make it explicit.

Developers also often focus on the stream name and ignore the log group name, even though the lookup depends on both.

Summary

  • A CloudWatch log stream is scoped to a specific log group and region.
  • “Not recognized” usually means wrong group, wrong region, wrong account, or a missing stream.
  • Create the stream explicitly before calling PutLogEvents if your workflow requires it.
  • Verify naming rules and IAM permissions separately.
  • Use describe-log-streams to confirm the resource path before debugging application code.

Course illustration
Course illustration

All Rights Reserved.