[Filebeat] [AWS] add support to source logs from AWS linked source accounts when using log_group_name_prefix (elastic#41206)

Kavindu-Dodan · web-flow · commit 7e1b52806758 · 2024-10-15T13:09:32.000-07:00
* configuration parsing to support arn &amp; linked accounts

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;

# Conflicts:
#	x-pack/filebeat/input/awscloudwatch/input.go

* code review change - fix typo

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;

* add support to linked accounts when using prefix mode

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;

* add changelog entry

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;

* review suggestion

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;

* use non-pointer struct property

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;

---------

Signed-off-by: Kavindu Dodanduwa &lt;kavindu.dodanduwa@elastic.co&gt;
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -328,6 +328,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Add support to source AWS cloudwatch logs from linked accounts. {pull}41188[41188]
 - Jounrald input now supports filtering by facilities {pull}41061[41061]
 - System module now supports reading from jounrald. {pull}41061[41061]
+- Add support to include AWS cloudwatch linked accounts when using log_group_name_prefix to define log group names. {pull}41206[41206]
 
 *Auditbeat*
 
diff --git a/x-pack/filebeat/_meta/config/filebeat.inputs.reference.xpack.yml.tmpl b/x-pack/filebeat/_meta/config/filebeat.inputs.reference.xpack.yml.tmpl
@@ -144,10 +144,15 @@
   #log_group_name: test
 
   # The prefix for a group of log group names.
+  # You can include linked source accounts by using the property `include_linked_accounts_for_prefix_mode`.
   # Note: `region_name` is required when `log_group_name_prefix` is given.
   # `log_group_name` and `log_group_name_prefix` cannot be given at the same time.
   #log_group_name_prefix: /aws/
 
+  # State whether to include linked source accounts when obtaining log groups matching the prefix provided through `log_group_name_prefix`
+  # This property works together with `log_group_name_prefix` and default value (if unset) is false
+  #include_linked_accounts_for_prefix_mode: true
+
   # Region that the specified log group or log group prefix belongs to.
   #region_name: us-east-1
 
diff --git a/x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-cloudwatch.asciidoc
@@ -56,13 +56,21 @@ Note: `region_name` is required when log_group_name is given.
 
 [float]
 ==== `log_group_name_prefix`
-The prefix for a group of log group names.
+The prefix for a group of log group names. See `include_linked_accounts_for_prefix_mode` option for linked source accounts behavior.
 
 Note: `region_name` is required when
 `log_group_name_prefix` is given. `log_group_name` and `log_group_name_prefix`
 cannot be given at the same time. The number of workers that will process the
 log groups under this prefix is set through the `number_of_workers` config.
 
+[float]
+==== `include_linked_accounts_for_prefix_mode`
+Configure whether to include linked source accounts that contains the prefix value defined through `log_group_name_prefix`.
+Accepts a boolean and this is by default disabled.
+
+Note: Utilize `log_group_arn` if you desire to obtain logs from a known log group (including linked source accounts)
+You can read more about AWS account linking and cross account observability from the https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html[official documentation].
+
 [float]
 ==== `region_name`
 Region that the specified log group or log group prefix belongs to.
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -3078,10 +3078,15 @@ filebeat.inputs:
   #log_group_name: test
 
   # The prefix for a group of log group names.
+  # You can include linked source accounts by using the property `include_linked_accounts_for_prefix_mode`.
   # Note: `region_name` is required when `log_group_name_prefix` is given.
   # `log_group_name` and `log_group_name_prefix` cannot be given at the same time.
   #log_group_name_prefix: /aws/
 
+  # State whether to include linked source accounts when obtaining log groups matching the prefix provided through `log_group_name_prefix`
+  # This property works together with `log_group_name_prefix` and default value (if unset) is false
+  #include_linked_accounts_for_prefix_mode: true
+
   # Region that the specified log group or log group prefix belongs to.
   #region_name: us-east-1
 
diff --git a/x-pack/filebeat/input/awscloudwatch/config.go b/x-pack/filebeat/input/awscloudwatch/config.go
@@ -13,20 +13,21 @@ import (
 )
 
 type config struct {
-	harvester.ForwarderConfig `config:",inline"`
-	LogGroupARN               string              `config:"log_group_arn"`
-	LogGroupName              string              `config:"log_group_name"`
-	LogGroupNamePrefix        string              `config:"log_group_name_prefix"`
-	RegionName                string              `config:"region_name"`
-	LogStreams                []*string           `config:"log_streams"`
-	LogStreamPrefix           string              `config:"log_stream_prefix"`
-	StartPosition             string              `config:"start_position" default:"beginning"`
-	ScanFrequency             time.Duration       `config:"scan_frequency" validate:"min=0,nonzero"`
-	APITimeout                time.Duration       `config:"api_timeout" validate:"min=0,nonzero"`
-	APISleep                  time.Duration       `config:"api_sleep" validate:"min=0,nonzero"`
-	Latency                   time.Duration       `config:"latency"`
-	NumberOfWorkers           int                 `config:"number_of_workers"`
-	AWSConfig                 awscommon.ConfigAWS `config:",inline"`
+	harvester.ForwarderConfig          `config:",inline"`
+	LogGroupARN                        string              `config:"log_group_arn"`
+	LogGroupName                       string              `config:"log_group_name"`
+	LogGroupNamePrefix                 string              `config:"log_group_name_prefix"`
+	IncludeLinkedAccountsForPrefixMode bool                `config:"include_linked_accounts_for_prefix_mode"`
+	RegionName                         string              `config:"region_name"`
+	LogStreams                         []*string           `config:"log_streams"`
+	LogStreamPrefix                    string              `config:"log_stream_prefix"`
+	StartPosition                      string              `config:"start_position" default:"beginning"`
+	ScanFrequency                      time.Duration       `config:"scan_frequency" validate:"min=0,nonzero"`
+	APITimeout                         time.Duration       `config:"api_timeout" validate:"min=0,nonzero"`
+	APISleep                           time.Duration       `config:"api_sleep" validate:"min=0,nonzero"`
+	Latency                            time.Duration       `config:"latency"`
+	NumberOfWorkers                    int                 `config:"number_of_workers"`
+	AWSConfig                          awscommon.ConfigAWS `config:",inline"`
 }
 
 func defaultConfig() config {
diff --git a/x-pack/filebeat/input/awscloudwatch/input.go b/x-pack/filebeat/input/awscloudwatch/input.go
@@ -105,8 +105,9 @@ func (in *cloudwatchInput) Run(inputContext v2.Context, pipeline beat.Pipeline)
 	})
 
 	if len(logGroupIDs) == 0 {
-		// fallback to LogGroupNamePrefix to derive group IDs
-		logGroupIDs, err = getLogGroupNames(svc, in.config.LogGroupNamePrefix)
+		// We haven't extracted group identifiers directly from the input configurations,
+		// now fallback to provided LogGroupNamePrefix and use derived service client to derive logGroupIDs
+		logGroupIDs, err = getLogGroupNames(svc, in.config.LogGroupNamePrefix, in.config.IncludeLinkedAccountsForPrefixMode)
 		if err != nil {
 			return fmt.Errorf("failed to get log group names from LogGroupNamePrefix: %w", err)
 		}
@@ -164,15 +165,16 @@ func fromConfig(cfg config, awsCfg awssdk.Config) (logGroupIDs []string, region
 	return logGroupIDs, region, nil
 }
 
-// getLogGroupNames uses DescribeLogGroups API to retrieve all log group names
-func getLogGroupNames(svc *cloudwatchlogs.Client, logGroupNamePrefix string) ([]string, error) {
+// getLogGroupNames uses DescribeLogGroups API to retrieve LogGroupArn entries that matches the provided logGroupNamePrefix
+func getLogGroupNames(svc *cloudwatchlogs.Client, logGroupNamePrefix string, withLinkedAccount bool) ([]string, error) {
 	// construct DescribeLogGroupsInput
 	describeLogGroupsInput := &cloudwatchlogs.DescribeLogGroupsInput{
-		LogGroupNamePrefix: awssdk.String(logGroupNamePrefix),
+		LogGroupNamePrefix:    awssdk.String(logGroupNamePrefix),
+		IncludeLinkedAccounts: awssdk.Bool(withLinkedAccount),
 	}
 
 	// make API request
-	var logGroupNames []string
+	var logGroupIDs []string
 	paginator := cloudwatchlogs.NewDescribeLogGroupsPaginator(svc, describeLogGroupsInput)
 	for paginator.HasMorePages() {
 		page, err := paginator.NextPage(context.TODO())
@@ -181,8 +183,8 @@ func getLogGroupNames(svc *cloudwatchlogs.Client, logGroupNamePrefix string) ([]
 		}
 
 		for _, lg := range page.LogGroups {
-			logGroupNames = append(logGroupNames, *lg.LogGroupName)
+			logGroupIDs = append(logGroupIDs, *lg.LogGroupArn)
 		}
 	}
-	return logGroupNames, nil
+	return logGroupIDs, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,9 @@ func (in *cloudwatchInput) Run(inputContext v2.Context, pipeline beat.Pipeline)`
`105`	`105`	`})`
`106`	`106`
`107`	`107`	`if len(logGroupIDs) == 0 {`
`108`		`- // fallback to LogGroupNamePrefix to derive group IDs`
`109`		`- logGroupIDs, err = getLogGroupNames(svc, in.config.LogGroupNamePrefix)`
	`108`	`+ // We haven't extracted group identifiers directly from the input configurations,`
	`109`	`+ // now fallback to provided LogGroupNamePrefix and use derived service client to derive logGroupIDs`
	`110`	`+ logGroupIDs, err = getLogGroupNames(svc, in.config.LogGroupNamePrefix, in.config.IncludeLinkedAccountsForPrefixMode)`
`110`	`111`	`if err != nil {`
`111`	`112`	`return fmt.Errorf("failed to get log group names from LogGroupNamePrefix: %w", err)`
`112`	`113`	`}`
`@@ -164,15 +165,16 @@ func fromConfig(cfg config, awsCfg awssdk.Config) (logGroupIDs []string, region`
`164`	`165`	`return logGroupIDs, region, nil`
`165`	`166`	`}`
`166`	`167`
`167`		`-// getLogGroupNames uses DescribeLogGroups API to retrieve all log group names`
`168`		`-func getLogGroupNames(svc *cloudwatchlogs.Client, logGroupNamePrefix string) ([]string, error) {`
	`168`	`+// getLogGroupNames uses DescribeLogGroups API to retrieve LogGroupArn entries that matches the provided logGroupNamePrefix`
	`169`	`+func getLogGroupNames(svc *cloudwatchlogs.Client, logGroupNamePrefix string, withLinkedAccount bool) ([]string, error) {`
`169`	`170`	`// construct DescribeLogGroupsInput`
`170`	`171`	`describeLogGroupsInput := &cloudwatchlogs.DescribeLogGroupsInput{`
`171`		`- LogGroupNamePrefix: awssdk.String(logGroupNamePrefix),`
	`172`	`+ LogGroupNamePrefix: awssdk.String(logGroupNamePrefix),`
	`173`	`+ IncludeLinkedAccounts: awssdk.Bool(withLinkedAccount),`
`172`	`174`	`}`
`173`	`175`
`174`	`176`	`// make API request`
`175`		`- var logGroupNames []string`
	`177`	`+ var logGroupIDs []string`
`176`	`178`	`paginator := cloudwatchlogs.NewDescribeLogGroupsPaginator(svc, describeLogGroupsInput)`
`177`	`179`	`for paginator.HasMorePages() {`
`178`	`180`	`page, err := paginator.NextPage(context.TODO())`
`@@ -181,8 +183,8 @@ func getLogGroupNames(svc *cloudwatchlogs.Client, logGroupNamePrefix string) ([]`
`181`	`183`	`}`
`182`	`184`
`183`	`185`	`for _, lg := range page.LogGroups {`
`184`		`- logGroupNames = append(logGroupNames, *lg.LogGroupName)`
	`186`	`+ logGroupIDs = append(logGroupIDs, *lg.LogGroupArn)`
`185`	`187`	`}`
`186`	`188`	`}`
`187`		`- return logGroupNames, nil`
	`189`	`+ return logGroupIDs, nil`
`188`	`190`	`}`