[英]Get AWS CloudTrail log to Kibana
有沒有更好的解決方案工具可以將AWS CloudTrail日志獲取到Kibana,這里我使用的是AWS的ElasticSearch Service
這是我在1.4.2中使用的logstash輸入。 它運作良好,盡管我懷疑它很吵(它需要很多S3 GET / HEAD / LIST請求)。
input {
s3 {
bucket => "bucketname"
delete => false
interval => 60 # seconds
prefix => "cloudtrail/"
type => "cloudtrail"
codec => "cloudtrail"
credentials => "/etc/logstash/s3_credentials.ini"
sincedb_path => "/opt/logstash_cloudtrail/sincedb"
}
}
filter {
if [type] == "cloudtrail" {
mutate {
gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
add_field => {
"document_id" => "%{eventID}"
}
}
if ! [ingest_time] {
ruby {
code => "event['ingest_time'] = Time.now.utc.strftime '%FT%TZ'"
}
}
ruby {
code => "event.cancel if (Time.now.to_f - event['@timestamp'].to_f) > (60 * 60 * 24 * 1)"
}
ruby {
code => "event['ingest_delay_hours'] = (Time.now.to_f - event['@timestamp'].to_f) / 3600"
}
# drop events more than a day old, we're probably catching up very poorly
if [ingest_delay_hours] > 24 {
drop {}
}
# example of an event that is noisy and I don't care about
if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "deploy-s3" {
drop {}
}
}
}
notes.ini格式在s3輸入頁面上進行了說明; 就是這樣:
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
我也有一個將結果發送到我們的#chatops的搜索,但我沒有在此處發布。
如果您還沒有嘗試過,可以一起使用cloudtrail和cloudwatch日志。 然后使用cloudwatch日志創建訂閱以將cloudtrail數據發送到elasticsearch。
完成此操作后,您應該能夠定義以cwl *開頭的基於時間的kibana索引。
干杯-
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.