Skip to main content
In this guide, we’ll cover how to monitor and observe your Amazon EKS clusters using AWS-native and managed services. Effective observability is essential for day-two operations, enabling you to track performance, troubleshoot issues, and maintain compliance.

1. EKS Control Plane Logging

Enable control plane logging when creating your EKS cluster to capture API activity and control plane events. Logged data flows automatically to Amazon CloudWatch Logs in a log group named after your cluster.
Control plane logs are invaluable for auditing and security compliance. Enable them at cluster creation—AWS handles the log delivery.
The image is a diagram showing the integration of an EKS Cluster's Control Plane with CloudWatch Logs. It illustrates the flow of data from the EKS Cluster to CloudWatch for monitoring purposes.
You can then use the CloudWatch console to:
  • Query and filter control plane logs
  • Create CloudWatch Alarms on specific API calls
  • Build dashboards to surface real-time cluster health

2. Node-Level Logging with CloudWatch Agents

To capture node-level system logs and container stdout/stderr streams, deploy the CloudWatch Logs agent on each EC2 node via the AWS Observability Add-on.
The image illustrates the architecture of CloudWatch Log Agents, showing how an EKS Cluster's control plane and EC2 instance send logs to CloudWatch and CloudWatch Logs, with an observability add-on.
Key log sources:
Log SourcePath/TypeDescription
Node system logs/var/log/messagesOS events, kernel and system messages
Container logsstdout/stderrApplication output and errors
Kubernetes metricsPrometheus endpointCPU, memory, and pod-level metrics

3. Workload Insights with ADOT

The AWS Distro for OpenTelemetry (ADOT) add-on extends CloudWatch Logs agent capabilities by collecting metrics, logs, and distributed traces. You can send data to CloudWatch or any OpenTelemetry-compatible backend.
The image illustrates the AWS Distro for Open Telemetry (ADOT) setup, showing an EKS Cluster with an agent and ADOT sending metrics and logs to CloudWatch.
Benefits of ADOT:
  • Unified collection pipeline for logs, metrics, and traces
  • Native support for custom OpenTelemetry backends
  • Correlation of application logs with performance metrics

Tracing with AWS X-Ray

Layer the AWS X-Ray add-on on ADOT to enable end-to-end distributed tracing across microservices. Trace data is automatically visible in the X-Ray console.

4. Fargate Logging

EKS on Fargate uses a managed Fluent Bit agent (similar to FireLens). Deploy logging by:
  1. Creating an AWS Observability namespace in your cluster.
  2. Applying the provided ConfigMap to configure Fluent Bit.
Fluent Bit collects container logs and forwards them to CloudWatch Logs. Note that underlying Fargate infrastructure metrics (CPU, memory) aren’t exposed the same way as on EC2.
Fargate only captures application container logs. If you require node-level metrics, consider EC2-based nodes or use Prometheus scraping.

5. Amazon Managed Prometheus and Grafana

For a fully managed Prometheus/Grafana experience, AWS offers:
ServiceUse CaseKey Features
Amazon Managed PrometheusScalable metrics ingestion & storageAuto scale, high availability, Prometheus-compatible
Amazon Managed GrafanaDashboards & alertingIAM integration, plugins, team management
The image is a diagram illustrating Amazon Managed Prometheus (AMP) and AWS Managed Grafana (AMG), highlighting features like cluster scraping, workload management, and deep integration. It also mentions IAM for identity and access management.
Configure AMP to scrape your EKS cluster endpoints, then build rich, interactive dashboards in AMG.

Conclusion

AWS offers a comprehensive observability suite for EKS:
  • Control Plane Logs via CloudWatch Logs
  • Node & Container Logs with CloudWatch Logs agent and Observability Add-on
  • Unified Telemetry using ADOT
  • Distributed Tracing with AWS X-Ray
  • Fargate Logging through managed Fluent Bit
  • Managed Metrics & Visualization with AMP and AMG
Choose the right mix for your team’s needs and integrate with AWS IAM for secure, scalable monitoring.

Watch Video