- Newest
- Most votes
- Most comments
Hi,
I understand you have created a cloudwatch data protection policy pointed at a cloudwatch log group, and configured it to write audit findings to another cloudwatch log group and would like to know how to find the corresponding log (audit) in the actual log group.
The following can be achieved by using CloudWatch insights [1], specifically filtering using email address along with the groupby time, @logstream, ingestion time (original log group) and the timestamp(audit log group) [2].
Sample for original log group:
fields @timestamp, @message, unmask(@message), @logstream | sort @timestamp desc | limit 20
It was noted that the audit log wont show the email which triggered the protection data but by looking at the @ingestionTime from the above query result, it can be compared against the auditTimestamp which should match.
I am positive this helps. Let me know if I answered your question by up voting my response or if you have any follow-up.
Kind regards, Muhammad
References: [1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html [2] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html [3] https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html
In practice, this query seems to work to do the above process. It requires manually changing timestamp values since cloudwatch insights doesnt seem to support converting or linking across log groups.
# 1) find auditTimestamp in data protection logs
# 2) convert audittime stamp manually, you can do this in Node via +new Date(<insert auditTimestamp here>)
# 3) change the timestamp value below to the audit log timestamp value from step 2
fields @ingestionTime, @timestamp, @message, unmask(@message), @logstream, tomillis(@ingestionTime) as injestmillis
| filter injestmillis > 1695665857000 - 1000
and injestmillis < 1695665857000 + 1000
| sort @timestamp desc
| limit 20
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago