amazon-web-services - AWS Cloud Trail 日志解析

Question

我想从 Cloud Trail 日志中解析嵌套的 JSON 以获取用户名数据和时间我该怎么做有没有可以在 Lambda 中使用的代码或者有一些工具，例如 JSON 文件看起来像这样

{"version":"0","id":"5bd0a964-0969-4b1a-badd-3b4f7e9e077f","detail-type":"AWS API Call via CloudTrail","source":"aws.ec2","account":"111111111","time":"2017-04-25T16:07:33Z","region":"us-west-2","resources":[],"detail":{"eventVersion":"1.05","userIdentity":{"type":"Root","principalId":"1111111","arn":"arn:aws:iam::137247507067:root","accountId":"111111111","accessKeyId":"AAAAAAAA","userName":"roger","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2017-04-25T05:44:56Z"}}},"eventTime":"2017-04-25T16:07:33Z","eventSource":"ec2.amazonaws.com","eventName":"ModifyImageAttribute","awsRegion":"us-west-2","sourceIPAddress":"X.X.X.X","userAgent":"console.ec2.amazonaws.com","requestParameters":{"imageId":"ami-36e85556","launchPermission":{"add":{"items":[{"userId":"879125893843"}]}},"attributeType":"launchPermission"},"responseElements":{"_return":true},"requestID":"06ae4745-2d29-4a3b-b526-c5d8c4b4a7fc","eventID":"fc57b805-ae30-4ec7-bf4f-7a9c971ae0c7","eventType":"AwsApiCall"}}

Answer 1

You can use AWS Athena.

It basically loads the cloudtrail logs into a table, so we can easily query all the things.

It has more option to analyze the cloudtrail logs.For example, if you want to know who launched the ec2 instance, then query like this,

SELECT date_format(from_iso8601_timestamp(eventTime), '%Y-%m-%d') AS EventDate,useridentity.arn UserARN,
       awsregion AS Region,
       json_extract_scalar(item,'$.instanceId') AS InstanceId
FROM cloudtrail_logs
CROSS JOIN UNNEST (cast(json_extract(responseElements,'$.instancesSet.items') AS array(json))) AS i (item)
WHERE eventsource='ec2.amazonaws.com'
  AND eventname = 'RunInstances'
  AND eventtime >= '2017-04-25T02:00:00.000'
 order by eventtime desc limit 2;

The result is,

https://aws.amazon.com/blogs/big-data/aws-cloudtrail-and-amazon-athena-dive-deep-to-analyze-security-compliance-and-operational-activity/