獲取AWS CloudTrail日志到Kibana

Question

有沒有更好的解決方案工具可以將AWS CloudTrail日志獲取到Kibana，這里我使用的是AWS的ElasticSearch Service

Answer 1

這是我在1.4.2中使用的logstash輸入。 它運作良好，盡管我懷疑它很吵（它需要很多S3 GET / HEAD / LIST請求）。

input {
  s3 {
    bucket => "bucketname"
    delete => false
    interval => 60 # seconds
    prefix => "cloudtrail/"
    type => "cloudtrail"
    codec => "cloudtrail"
    credentials => "/etc/logstash/s3_credentials.ini"
    sincedb_path => "/opt/logstash_cloudtrail/sincedb"
  }
}

filter {
  if [type] == "cloudtrail" {
    mutate {
      gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
      add_field => {
        "document_id" => "%{eventID}"
      }
    }
    if ! [ingest_time] {
      ruby {
        code => "event['ingest_time'] = Time.now.utc.strftime '%FT%TZ'"
      }
    }
    ruby {
      code => "event.cancel if (Time.now.to_f - event['@timestamp'].to_f) > (60 * 60 * 24 * 1)"
    }
    ruby { 
      code => "event['ingest_delay_hours'] = (Time.now.to_f - event['@timestamp'].to_f) / 3600" 
    }

    # drop events more than a day old, we're probably catching up very poorly
    if [ingest_delay_hours] > 24 {
      drop {}
    }

    # example of an event that is noisy and I don't care about
    if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "deploy-s3" {
      drop {}
    }
  }
}

notes.ini格式在s3輸入頁面上進行了說明； 就是這樣：

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=

我也有一個將結果發送到我們的#chatops的搜索，但我沒有在此處發布。

Answer 2

如果您還沒有嘗試過，可以一起使用cloudtrail和cloudwatch日志。 然后使用cloudwatch日志創建訂閱以將cloudtrail數據發送到elasticsearch。

完成此操作后，您應該能夠定義以cwl *開頭的基於時間的kibana索引。

干杯-