> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bronto.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ECS Container Logs with AWS FireLens

> Route Amazon ECS container logs directly to Bronto using AWS FireLens with Fluent Bit, skipping CloudWatch and reducing AWS log ingestion costs.

## When to Use FireLens

FireLens is a good fit when you are running workloads on ECS and want to:

* Ship container `stdout` / `stderr` logs directly to Bronto without going through CloudWatch
* Keep your setup **log-focused** without the overhead of an OTel pipeline
* Use AWS's native ECS log routing rather than managing a separate collector

If you also need **traces** from your ECS workloads, consider [ADOT](./aws-adot) instead, which handles both logs and traces in a single pipeline.

***

## Supported AWS Services

FireLens routes logs from containers running in:

| Service                      | Log type                      |
| ---------------------------- | ----------------------------- |
| Amazon ECS (EC2 launch type) | Container `stdout` / `stderr` |
| AWS Fargate                  | Container `stdout` / `stderr` |

FireLens is ECS-specific. For EKS container logs, use [Fluent Bit on EKS](./aws-fluent-bit-eks). For Lambda or other AWS services, see the [overview](./aws-overview).

***

## What is FireLens?

[AWS FireLens](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) is an ECS log routing feature that uses a Fluent Bit (or Fluentd) sidecar container as a log driver. Container logs are piped from your application containers directly to the FireLens sidecar, which forwards them to Bronto using JSON Lines over HTTPS.

FireLens runs as a sidecar in the same ECS task. No separate infrastructure is required.

***

## Bronto Ingestion Endpoint

FireLens uses Fluent Bit's `http` output, which sends JSON Lines to the Bronto base endpoint (no path):

| Region | Endpoint                 |
| ------ | ------------------------ |
| EU     | `ingestion.eu.bronto.io` |
| US     | `ingestion.us.bronto.io` |

<Note>
  This is different from the OTLP endpoints (`/v1/logs`, `/v1/traces`), which accept only protobuf and require an OTel-compatible agent. Fluent Bit's `http` output uses JSON Lines and must target the base endpoint.
</Note>

All requests require the header:

```
x-bronto-api-key: <YOUR_API_KEY>
```

See [API Keys](/Account-Management/API-Keys) for how to generate a key.

***

## Setup

### Step 1 — Add the FireLens sidecar to your task definition

Add a `log_router` container using the AWS-provided Fluent Bit image. This container acts as the log driver for all other containers in the task.

```json theme={"dark"}
{
  "name": "log-router",
  "image": "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable",
  "essential": true,
  "firelensConfiguration": {
    "type": "fluentbit",
    "options": {
      "enable-ecs-log-metadata": "true"
    }
  }
}
```

### Step 2 — Configure Fluent Bit to forward to Bronto

Pass a custom Fluent Bit configuration to the sidecar via an S3 object or SSM Parameter Store. The output section targets Bronto's base ingestion endpoint using JSON Lines format.

For the full Fluent Bit configuration reference and output options, see the [Fluent Bit setup guide](/agent-setup/fluent-bit).

```ini theme={"dark"}
[OUTPUT]
    Name              http
    Match             *
    Host              ingestion.<REGION>.bronto.io
    Port              443
    Format            json_lines
    Compress          gzip
    tls               On
    tls.verify        On
    Header            x-bronto-api-key <YOUR_API_KEY>
    Header            x-bronto-dataset <YOUR_DATASET_NAME>
    Header            x-bronto-collection <YOUR_COLLECTION_NAME>
```

Replace `<REGION>` with `eu` or `us`.

### Step 3 — Point your application containers at FireLens

Update the `logConfiguration` of each application container to use the `awsfirelens` log driver:

```json theme={"dark"}
{
  "logConfiguration": {
    "logDriver": "awsfirelens",
    "options": {
      "Name": "http",
      "Host": "ingestion.<REGION>.bronto.io",
      "Port": "443",
      "Format": "json_lines",
      "Compress": "gzip",
      "tls": "On",
      "tls.verify": "On",
      "Header": "x-bronto-api-key <YOUR_API_KEY>"
    }
  }
}
```

***

## Data Organization

Set the recommended headers in your Fluent Bit `[OUTPUT]` block to control how data lands in Bronto — see [Data Organization](/Search-and-Visualize/Partitions) for how datasets, collections, and tags work.

| Header                | Description                              |
| --------------------- | ---------------------------------------- |
| `x-bronto-dataset`    | Dataset to ingest into                   |
| `x-bronto-collection` | Collection name                          |
| `x-bronto-tags`       | Comma-separated tags to attach to events |

```ini theme={"dark"}
[OUTPUT]
    Name              http
    Match             *
    Host              ingestion.<REGION>.bronto.io
    Port              443
    Format            json_lines
    Compress          gzip
    tls               On
    tls.verify        On
    Header            x-bronto-api-key <YOUR_API_KEY>
    Header            x-bronto-dataset <YOUR_DATASET_NAME>
    Header            x-bronto-collection <YOUR_COLLECTION_NAME>
    Header            x-bronto-tags env=prod,team=platform
```

To route different containers in the same task to different datasets, define multiple `[OUTPUT]` blocks with different `Match` patterns and per-output `Header` directives.

***

## Cost Notes

* **No CloudWatch ingestion fees** — logs go directly from FireLens to Bronto.
* You pay only for the ECS task compute running the FireLens sidecar, which is negligible.
* Compare with [CloudWatch Log Forwarder](./aws-client-cloudwatch) if your services already write to CloudWatch.

***

For assistance, contact [support@bronto.io](mailto:support@bronto.io).