stackoom
  简体   繁体   中英

Parse amazon cloudwatch RDS audit log for user

 原文  2019-12-06 18:08:47       amazon-web-services/ parsing/ amazon-cloudwatch

Question

I am working with RDS Audit logs and trying to parse out the username with a log query. The data in the audit for the @message column looks like this: 1234567890,rds-instance-name,rdsadmin,localhost,123,0,CONNECT,,,0

I would like to aggregate the counts for the various entries in the logs but I don't know how to parse the username out of the @message column. In the example above the username is rdsadmin.

Here is the query I have so far:

fields @timestamp, @message
| filter @message like /(?i)(connect)/
| parse @message /(?<@ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
| stats count() AS counter by @user, @ip
| sort by @user desc, @counter desc
| limit 50

Would a regex be able to parse the third value in the comma separated string?

1 answers

solution1
 0  2019-12-06 18:37:21

This appears to be working, maybe not the best way? : 

fields @timestamp, @message
| filter @message like /(?i)(CONNECT)/
| parse @message ',*,*,' as @instance,@user
| parse @message /(?<@ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
| stats count() AS counter by @user, @ip
| sort by @user desc, @counter desc
| limit 50

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Amazon RDS: plot number of instances in CloudWatch AWS RDS not uploading general log to CloudWatch Logs Multiple log streams in CloudWatch - PostgreSQL RDS Backend storage for Amazon CloudWatch Log Groups Amazon Cloudwatch log filtering - JSON syntax Amazon CloudWatch: How to find ARN of CloudWatch Log group MySQL and Amazon RDS DBA user how to send multiple log files to amazon cloudwatch? Amazon RDS super user privilege Amazon AWS RDS MySQL slow query log
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM