0

我正在使用AWS CloudTrail 处理库从 AWS 中提取 Cloudtrail 日志。在下面的事件历史截图(取自 CloudTrail Web 控制台)中,受更改影响的存储桶的名称反映在列下:Resource name。如何使用aws-cloudtrail-processing-library. 该库返回 CloudTrail 保存日志文件的存储桶的名称,而不是受影响的存储桶(突出显示)。此外,即使从存储桶下载日志后,我也看不到此信息。

在此处输入图像描述

这是我的处理类的片段:

public class AuditorCloudTrail {


public static void main(String[] args) throws InterruptedException {
    final Log logger = LogFactory.getLog(AuditorCloudTrail.class);



    final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
            new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
                    .withProgressReporter(new AuditorProgressReporter()).withEventFilter(new AuditorEventsFilter())
                    .withExceptionHandler(new AuditorExceptionHandler()).build();
    executor.start();

    // add shut down hook to gracefully stop executor (optional)
    Runtime.getRuntime().addShutdownHook(new Thread() {
        public void run() {
            logger.info("Shut Down Hook is called.");
            executor.stop();
        }
    });

    // register a Default Uncaught Exception Handler (optional)
    Thread.setDefaultUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
        @Override
        public void uncaughtException(Thread t, Throwable e) {

            // Two options here:
            // First, we can call System.exit(1); in such case shut down hook will be
            // called.
            // Second, we can optionally restart another executor and start.
            final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
                    new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
                            .withEventFilter(new AuditorEventsFilter())
                            .withProgressReporter(new AuditorProgressReporter())
                            .withExceptionHandler(new AuditorExceptionHandler()).build();
            executor.start();

        }
    });

    // can optionally limit running time, or remove both lines so it is running
    // forever. (optional)
    Thread.sleep(24 * 60 * 60 * 1000);
    executor.stop();
}

以及过滤事件的方法:

   public boolean filterEvent(CloudTrailEvent event) throws CallbackException {
    CloudTrailEventData eventData = event.getEventData();    

    String eventSource = eventData.getEventSource();    

    try {
        saveEvent(eventData);
    } catch (InterruptedException e) {
        e.printStackTrace();
    }

    return (eventSource.equals(IAM_EVENTS) || 
   eventSource.equals(S3_EVENTS));
}
4

1 回答 1

0

我将这个问题作为GitHub存储库上的问题打开。我收到的答案是,目前使用处理引擎不支持此功能。因此,解决方法是使用(需要安装 cloudtrail插件)将日志从预配置的 AWS s3 存储桶中提取到服务器中,如此处所述可以使用正常处理从中提取所需的事件,包括所涉及的事件。AWS Cloudtrail processing engineLogstashcloudtrailmongodbresources

于 2019-03-23T15:35:22.047 回答