Enabling external logging for AWS
The agentic experience uses powerful AI agents, dynamic orchestration, and integrated tools to deliver smarter, context-aware decision making and automation.
To support monitoring and debugging of your agent workflows, you can enable external logging to store and access both audit and debug logs by using Amazon S3 and CloudWatch.
Before you begin
To access logs and traces:
- You must have an AWS account.
- If you don’t have one, try for free.
You need to create:
- An Amazon S3 bucket to store logs.
- A CloudWatch log group to view and analyze logs.
- IAM roles and policies to manage access.
Logs are stored in Amazon S3 and optionally viewed in CloudWatch Logs. You must configure these AWS resources and register them with IBM support to enable logging in watsonx Orchestrate.
Step 1: Create an Amazon S3 Bucket
Amazon S3 buckets are containers that store data. Following are the steps to create an Amazon S3 bucket:
-
Create an Amazon S3 bucket in your account. The Amazon S3 bucket names must be globally unique. Therefore, you must create a unique name for your S3 bucket by adding your tenant ID to the end of the bucket name, such as
"tenantxxx-bucket". -
Create a role in your AWS account and specify the account ID of the watsonx Orchestrate ServiceLine AWS, which is
239621575091, as the trusted entity. You must also create a new policy that limits the role's permissions to only read and write access to the bucket you created"tenantxxx-bucket". Anyone who was granted with this role access has full read and write access to the"tenantxxx-bucket"bucket.i. Before you create a role, prepare the managed policy that defines the permissions for the role requirements and attach the prepared managed policy to the role in a later step.
ii. Navigate to the AWS Identity and Access Management (IAM) console and click Policies > Create policy. Click JSON tab and copy the complete text from the JSON policy document. Edit and update the copied JSON policy document in a JSON text editor by replacing the resource ARN
(arn:aws:s3:::tenantxxx-bucket)with the one of your Amazon S3 buckets. The following is a sample JSON policy document:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::tenantxxx-bucket" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::tenantxxx-bucket/*" } ] }ii. On the Review and create page, enter a policy name; for example, read-write-app-bucket.
iv. Review the permissions granted by the policy, and click Create policy to save. The new policy must appear in the list of managed policies.
v. To create a role, go to the navigation pane, click Roles > Create role.
vi. Click An AWS account role type and set an AWS account:
- Select Another AWS account and specify the account ID of the watsonx Orchestrate ServiceLine AWS, which is
239621575091, under the Account ID.
vii. Set the permissions associated with the role, click Next: Permissions.
viii. Click the checkbox next to the policy that you created in the previous step.
ix. (Optional) Add metadata to the user by attaching tags as key-value pairs.
x. (Optional) Under Description, you can enter a description for the new role.
xi. After reviewing the role, click Create role.
- Select Another AWS account and specify the account ID of the watsonx Orchestrate ServiceLine AWS, which is
-
After creating the role, get the Amazon Resource Name (ARN) of the role. ARN is a unique identifier for the role. To get the ARN:
i. Go to the navigation pane of the IAM console and click Roles.
ii. In the list of roles, choose the role that you created in the previous step.
iii. Copy the Role ARN value from the Summary.
You can now use this bucket to store the external logs.
Step 3: Create a CloudWatch log group
- Go to CloudWatch > Log groups, and create a new group, for example,
tenantxxx-lg. - Follow similar steps as S3 to:
- Create an IAM policy for CloudWatch log group access
- Assign permissions to
logs:*actions for your log group ARN (format:arn:aws:logs:<account_id>:log-group:tenantxxx-lg:*) - Create a new role for watsonx Orchestrate using the same AWS account ID:
239621575091
- Copy the Role ARN for registration.
Example CloudWatch policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:ListTagsLogGroup",
"logs:GetDataProtectionPolicy",
"logs:DeleteDataProtectionPolicy",
"logs:DescribeLogStreams",
"logs:StartQuery",
"logs:CreateLogStream",
"logs:TagLogGroup",
"logs:GetLogEvents",
"logs:AssociateKmsKey",
"logs:FilterLogEvents",
"logs:PutDestination",
"logs:DisassociateKmsKey",
"logs:PutDataProtectionPolicy",
"logs:UntagLogGroup",
"logs:DescribeLogGroups",
"logs:PutDestinationPolicy",
"logs:TagResource",
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:GetLogGroupFields"
],
"Resource": "arn:aws:logs::<AWS_Account_ID>:log-group:tenantxxx-lg:*"
}
]
}
Step 4: Register logging details with IBM
To enable forwarding logs, open a support case with IBM{: new_window}. Include the following information in your request:
-
watsonx Orchestrate CRN
To find your CRN:
- Sign in to
watsonx Orchestrate. - Go to Profile > About.
- Take a screenshot of the About page and attach it to your support case.
- Sign in to
-
Amazon S3 bucket information
Provide the following details:
s3_bucket_names3_regions3_role_arn
-
CloudWatch log group information
Provide the following details:
cw_loggroup_namecw_regioncw_role_arn
After IBM Support completes the integration, you receive a confirmation.
Step 5: Accessing logs
-
Audit logs
-
Located in your Amazon S3 bucket
-
Stored in JSON format under a top-level folder that is named after your tenant ID
-
-
Debug logs
-
Available in CloudWatch
-
Includes audit logs and additional execution context for troubleshooting
-