Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[parsers] add cloudtrail via cloudwatch logs support #745

Merged
merged 5 commits into from
May 22, 2018

Conversation

ryandeivert
Copy link
Contributor

@ryandeivert ryandeivert commented May 22, 2018

to: @austinbyers
cc: @airbnb/streamalert-maintainers
size: small

Background

Logs that are ingested via CloudWatch logs subscription filter have a unique format. The format is described here in step 8 under Example # 1. The message objects within the list of logEvents are stored as embedded json objects. However, currently, there is no easy way to use a json path in combination with loading an embedded json object. This adds support for loading of embedded json objects for json records extracted via a json path.

Changes

  • Adding new logs.json config option of embedded_json that is a boolean indicating if the extracted json object is an embedded object (encoded json within json).
  • Adding json loading logic for embedded json objects via new method of _extract_records. This new method also handles the json regex extraction & loading.
  • Adding CloudTrail log via CloudWatch logs schema support. See here for more info on the contents of the log.

Testing

  • Adding unit tests for the extraction of the embedded json object.

@ryandeivert ryandeivert changed the title Ryandeivert add cloudtrail via cw support [parsers] add cloudtrail via cloudwatch logs support May 22, 2018
@ryandeivert ryandeivert added this to the 2.0.0 milestone May 22, 2018
Copy link
Contributor

@austinbyers austinbyers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A really clean solution! 👏

try:
record = json.loads(match.value)
except ValueError:
LOGGER.debug('Embedded json is invalid')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a warning? If I understand correctly, this logic parses embedded json (if specified) for each matched log schema. If that fails, then the config is probably wrong? Or will this happen more frequently?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably safe to have it as warning or error. just updated!

@jacknagz
Copy link
Contributor

👏 @ryandeivert could you also add the new embedded_json config option to our docs so other users have an understanding of how it works?

@ryandeivert
Copy link
Contributor Author

@jacknagz I will make a todo for it and address soon

@ryandeivert ryandeivert merged commit 1ae5bd2 into master May 22, 2018
@ryandeivert ryandeivert deleted the ryandeivert-add-cloudtrail-via-cw-support branch May 22, 2018 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants