Skip to content
/ aws-log-forwarder Public

AWS Lambda function for the log forwarding

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

impart-security/aws-log-forwarder

BranchesTags

Repository files navigation

AWS log forwarder

Lambda function to stream ec2 loadbalancer access logs and cloudwatch logs to impart inspector.

Logstream ingestion configuration

  1. Create a Log Binding. Specify grok pattern for the expected log format and file name which will be used in the inspector configuration in step 2. The following fields are supported and required to be resolved:
  • timestamp - request timestamp, HTTPDATE and TIMESTAMP_ISO8601 time formats are supported automatically. For custom time format provide layout in the grok: %{GREEDYDATA:timestamp:ts-"2006-01-02 15:04:05.000"}
  • request - request url. Can include query string parameters if available
  • response_code - response status code
  • http_method - request http method
  1. Run inspector with the following environment variables:
INSPECTOR_MODE: "log_stream_server"
INSPECTOR_LOGSTREAM_LISTEN_ADDR: ":<port>"
INSPECTOR_LOGSTREAM_ID: "<log_binding_logstream_ID>" # from step 1
INSPECTOR_API_ACCESS_TOKEN: "<access_token>" # setup here https://console.impartsecurity.net/orgs/_/access-tokens#create. Click `New inspector access token`, click `Inspector access` to set the scopes.
  1. Run the lambda function subscribed either to cloud watch events or elb s3 events. Specify environment variable:
INSPECTOR_LOGSTREAM_LISTEN_ADDR: "<inspector_host>:<port>" # from step 2

Grok Examples

For elb access logs:

%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port} (?:%{IP:backend_ip}:%{NUMBER:backend_port}|-) %{NUMBER:request_processing_time} %{NUMBER:backend_processing_time} %{NUMBER:response_processing_time} (?:%{NUMBER:response_code}|-) (?:%{NUMBER:backend_status_code}|-) %{NUMBER:received_bytes} %{NUMBER:sent_bytes} "(?:%{WORD:http_method}|-) (?:%{GREEDYDATA:request}|-) (?:HTTP/%{NUMBER:http_version}|-( )?)" "%{DATA:user_agent}"( %{NOTSPACE:ssl_cipher} %{NOTSPACE:ssl_protocol})?

For api gateway cloudwatch access logs if the log format set to:

$context.requestTime "$context.httpMethod $context.path $context.protocol" $context.status $context.identity.sourceIp $context.requestId

%{HTTPDATE:timestamp} "(?:%{WORD:http_method}|-) (?:%{GREEDYDATA:request}|-) (?:HTTP/%{NUMBER:http_version}|-( )?)" (?:%{NUMBER:response_code}|-)

About

AWS Lambda function for the log forwarding

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

v0.2.0 Latest
Apr 4, 2024

Packages

No packages published

Languages