5

我们正在使用 AWS Cloud Trail 来检索数据(云跟踪事件)。我们使用了 gem 'aws-sdk-cloudtrail'(1.0 版)。根据 Cloud Trail,我们最多可以检索 50 个结果(最近一次)。为了获取先前(较旧的一次)结果,我们使用在先前响应中收到的“下一个令牌”。我们执行此操作,直到我们得到一个空的“下一个令牌”。当我们收到一个空令牌时,这意味着所有的云轨迹数据都已被检索到。

例如:假设 Cloud Trail 有 100 个事件登录:在第一个 api 调用中,我们收到了最新的 50 个结果以及用于检索下一个 50(旧 50)的令牌。在第二个 api 调用中,我们收到剩余的 50 个结果(较旧的结果)以及下一个标记为 nil。这意味着没有更多的结果可以获取。

在我们的例子中,我们将从跟踪收到的所有结果保存在本地数据库中。我们会定期重复此操作。当第二次这样做时(重复上述过程),我们再次收到很少新的和旧的结果。我们再次重复 API 调用,直到我们将 'next-token' 设为 nil。这导致接收到在第一个循环执行时已经存储在数据库中的冗余数据。有什么方法可以只获取新记录的云跟踪事件第二个周期。

4

3 回答 3

2

就像@Vorsprung 所说,您可以使用本地数据库中的最大事件日期时间。

这是您的用例/问题的详细解决方案:

1. Query to your local database to check that cloudtrail data is present in the local database.

    IF yes 
        // It means you have stored some data from cloudtrail before.
        // And now you are going to do request to cloudtrail for new trail events.
        // Note - At a time of the first request you don't have a token (i.e. next-token)

        GOTO Step 3

    ELSE
        // It means you have not stored any data from cloudtrail before.
        // And now you are going to do the first request to cloudtrail. 
        // Note - At a time of the first request you don't have a token (i.e. next-token)

        GOTO Step 2

2.  LOOP true

        token = nil

        IF token
            // Send request to cloudtrail to get next bactch of latest cloudtrail events, now pass token(i.e. next-token) as parameter.
            // Which will return the maximum latest 50 trail events.
            // It will also return next-token if more cloudtrail events are remaining.

            IF next-token
              token = next-token
            ELSE
                BREAK LOOP;
            END

        ELSE
            // Send request to cloudtrail to get the latest cloudtrail events.
            // Which will return the maximum latest 50 trail events.
            // It will also return next-token if more cloudtrail events are remaining.

            IF next-token
              token = next-token
            ELSE
                BREAK LOOP;
            END
        END
    END

3.  LOOP true

        token = nil
        start_date_time = max_trail_event_date_time_form_local_db

        IF token
            // Send request to cloudtrail to get next bactch of latest cloudtrail events, now pass token and start_date_time(i.e. next-token and max_event_date_time_form_local_db) as parameters.
            // Which will return the maximum latest 50 events which are logged after start_date_time.
            // It will also return next-token if more cloudtrail events are remaining.

            IF next-token
              token = next-token
            ELSE
                BREAK LOOP;
            END

        ELSE
            // Send request to cloudtrail to get the latest cloudtrail events, now pass start_date_time(i.e. max_trail_event_date_time_form_local_db) as parameter.
            // Which will return the maximum latest 50 events which are logged after start_date_time.
            // It will also return next-token if more cloudtrail events are remaining.

            IF next-token
              token = next-token
            ELSE
                BREAK LOOP;
            END
        END
    END

希望它会有所帮助。

于 2018-04-07T08:44:54.047 回答
0

您将“NextToken”保存在本地数据库中,并在下次调用 API 时传递。这是一个例子。 

import boto3

cloudtrail = boto3.client('cloudtrail')
paginator = cloudtrail.get_paginator('lookup_events')

StartingToken = None

page_iterator = paginator.paginate(
    LookupAttributes=[{'AttributeKey':'EventName','AttributeValue': 'RunInstances'}],
    PaginationConfig={'PageSize':10, 'StartingToken':StartingToken })
for page in page_iterator:
    for event in page["Events"]:
        print(event["EventName"],event["EventTime"])
    try:
        token_file = open("token","w") 
        token_file.write(page["NextToken"]) 
        StartingToken = page["NextToken"]
    except KeyError:
        exit()
于 2018-03-13T17:54:54.623 回答
0

从本地数据库中选择最大日期,然后将其用作 cloudtrail 事件的开始日期

于 2018-03-13T15:05:09.630 回答