AWS Compute Services

Real-time Monitoring of 5XX Errors using AWS Lambda, CloudWatch Logs and Slack

4 min read
Updated June 21, 2025
5,812 characters

Real-Time 5xx Error Monitoring with Lambda and Slack

This cheat sheet outlines a common serverless architectural pattern for real-time monitoring of application errors. The goal is to receive instant notifications in a Slack channel whenever an Application Load Balancer (ALB) records a 5xx server-side error.

The Problem: Delayed Error Discovery

By default, ALB access logs are stored in an S3 bucket. Manually checking these logs for errors is inefficient and means you often discover problems long after they have impacted users. This pattern provides immediate, automated visibility into critical application failures.

Architectural Components

This solution connects several AWS services to create a real-time alerting pipeline.

1. Application Load Balancer (ALB)

  • Role: The entry point for application traffic.
  • Function: It handles user requests and routes them to backend targets (e.g., EC2 instances, ECS containers). It also generates detailed access logs for every request it processes.
  • Configuration: Access logging must be enabled on the ALB, configured to deliver log files to a designated S3 bucket.

2. Amazon S3 Bucket

  • Role: The central storage for ALB access logs.
  • Function: ALB periodically writes log files to this bucket. Each file contains a batch of recent access log entries.

3. S3 Event Notifications

  • Role: The trigger for the entire process.
  • Function: The S3 bucket is configured to send an event notification whenever a new object (a log file) is created.
  • Configuration: An event is set up for the s3:ObjectCreated:* action, which triggers an AWS Lambda function.

4. AWS Lambda Function

  • Role: The core processing engine of the monitoring solution.
  • Function:
    1. Triggered: The Lambda function is invoked by the S3 event notification, receiving the bucket name and the new log file's key (name) as input.
    2. Fetch: It uses the AWS SDK to get the newly created log file from the S3 bucket.
    3. Process: It reads and parses the log file content. ALB logs are space-delimited, so the function splits each line to analyze its fields.
    4. Filter: It specifically checks the elb_status_code column in each log entry, looking for any status codes in the 5xx range (e.g., 500, 502, 503, 504).
    5. Format: For each 5xx error found, it formats a user-friendly notification message containing key details like the timestamp, client IP, target IP, and the specific error code.
    6. Notify: It sends the formatted message to a pre-configured Slack channel.

5. Slack Integration (Incoming Webhook)

  • Role: The notification destination.
  • Function: A Slack "Incoming Webhook" provides a unique URL. Sending an HTTP POST request with a JSON payload to this URL will post a message to the corresponding channel.
  • Configuration: The Lambda function securely stores this Webhook URL (e.g., using AWS Secrets Manager or as an encrypted environment variable) and sends its formatted error messages to it.

6. IAM Roles

  • Role: The security glue holding the components together.
  • Function: Two key roles are needed:
    • Lambda Execution Role: Grants the Lambda function permission to s3:GetObject to read log files from the S3 bucket. It also needs permissions to write to CloudWatch Logs for its own logging.
    • S3 Invoke Permission: A resource-based policy is added to the Lambda function to allow the S3 service to invoke it.

End-to-End Workflow

  1. A user makes a request to the application, and the backend service returns a 503 Service Unavailable error to the ALB.
  2. The ALB records this request, including the 503 status code, in its access log.
  3. After a short interval, the ALB writes a new compressed log file containing the error entry to the designated S3 bucket.
  4. The creation of the new log file in S3 triggers an s3:ObjectCreated:* event notification.
  5. The S3 event invokes the subscribed Lambda function, passing along the log file's location.
  6. The Lambda function executes, reads the log file from S3, and finds the line with the 503 error.
  7. The function formats a message: Alert: 503 error detected for client 192.0.2.1 at 2025-06-21T22:45:00Z.
  8. The function sends this message via an HTTP POST request to the Slack Incoming Webhook URL.
  9. The error alert instantly appears in the designated Slack channel, notifying the on-call team.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All