It's important that you understand the difference between log streams and log groups.

Log streams are log sequences which come from a single source. This could be an EC2 instance, an application process, or another source within AWS. In our case the name of our log stream is the ID of our EC2 instance. In fact, the CloudWatch logs agent will set the log_stream_name to the instance ID by default.

Log groups are collections of log streams with the same properties. In our previous example, the log groups will correspond to /var/log/secure. So, we end up with a configuration which looks like:

      log_group_name = /var/log/secure 
      log_stream_name = {instance_id}

When you install the CloudWatch logs agent, it actually sets up /var/log/messages in exactly the same manner as we've just described:

      log_group_name = /var/log/messages 
      log_stream_name = {instance_id}

Once the agent has started, it will ship new log entries off the box to CloudWatch logs approximately every 5 seconds.