Pivotal Knowledge Base


Unable to Access Pivotal Cloud Foundry Logs in AWS


  • Pivotal Cloud Foundry® (PCF) 1.8.x, 1.9.x, 1.10.x, 1.11.x, and 1.12.x
  • Information as a Service- Amazon Web Services


The following issue arises when trying to access the PCF logs via the CF CLI utility in AWS environments:

Error dialing traffic controller server: websocket: bad handshake

The Loggregator is responsible for streaming logs and metrics from all user apps and system components from Elastic Runtime.

These logs are made available via the Loggregator's primary transport mechanism called Doppler. Logs are streamed from the Loggregator's traffic controller using the HTTP WebSocket Protocol (WSS).  

This article explains how to alleviate this issue when accessing PCF logs via the CF CLI.


When running "cf logs", you are connecting to the application logging subsystem called Loggregator. The error shown above occurs when this connection fails.


In order to see what your Doppler logging endpoint is set to currently, please run the following command.

$ cf curl /v2/info | jq .doppler_logging_endpoint

By default, in AWS the Loggregator is listening on TCP port 4443. In order to connect to this port and retrieve logs, you will need to allow the ingress of traffic on TCP port 4443 to your PCF environment.

In the EC2 Dashboard, select Security Groups, check if the security group PCF_ELB_SecurityGroup exists and has the following rule in place (4.); if not please add it as follows.

Log into your AWS console and add the following security group:

  1. On the EC2 Dashboard, go to, Security Groups > Create Security Group.
  2. Enter a security group name and description: PCF_ELB_SecurityGroup.
  3. Select the VPC to which to deploy the ELB.
  4. Click the "Inbound" tab and add rules to allow traffic to port 4443 from

This allows you access to connect to Loggregator via the WebSocket Protocol which provides access to the logs.  

Additional Information

Security Groups-You can change the to be more restrictive if you want finer control over what can reach the Elastic Runtime. This security group governs external access to the Elastic Runtime from applications such as the CF CLI and application URLs. 

Loggregator- The Loggregator port can be set via the Elastic Runtime Tile under the Networking tab.



Powered by Zendesk