---
title: Log Aggregation and Intelligent Sampling with CloudWatch and OpenTelemetry
description: Ingesting every debug log to CloudWatch is how observability becomes a FinOps incident. Tail sampling with ADOT, Logs Insights, and Firehose to S3 for the long tail.
url: https://www.factualminds.com/blog/log-aggregation-sampling-cloudwatch-otel-aws/
datePublished: 2026-06-12T00:00:00.000Z
dateModified: 2026-06-12T00:00:00.000Z
author: Palaniappan P
category: DevOps & CI/CD
tags: engineering-guide, observability, cloudwatch, opentelemetry, aws
---

# Log Aggregation and Intelligent Sampling with CloudWatch and OpenTelemetry

> Ingesting every debug log to CloudWatch is how observability becomes a FinOps incident. Tail sampling with ADOT, Logs Insights, and Firehose to S3 for the long tail.

**CloudWatch Logs ingestion (June 2026)** bills per GB—**100% trace/log correlation** without sampling destroyed margins on a $40k/mo observability line item for a mid-market SaaS we benchmarked.

## Aggregation architecture

1. **App** → structured JSON (correlation ID)
2. **ADOT collector** → tail sampling (keep errors + slow)
3. **CloudWatch Logs** hot path + **Firehose** → S3/Glue for audit

## Sampling rules

- Always keep: `level=ERROR`, `http.status>=500`, latency > SLO
- Sample info: 1–5% baseline
- Never sample security audit events

## Logs Insights

Use for incident search; not primary metrics store—pair with [cardinality guide](/blog/prometheus-cardinality-explosion-amp-cloudwatch-cost-control/).

## What to do this week

1. Enable ADOT tail sampling processor in collector config.
2. Set log retention tiers (7d hot, 90d S3).
3. Dashboard ingestion GB/day with anomaly detection.

## What this guide doesn't cover

Full OTel stack setup—part 1 canonical post in track.

---

*Source: https://www.factualminds.com/blog/log-aggregation-sampling-cloudwatch-otel-aws/*