Simple browse/search into CloudTrail events

0

Hi, CloudTrail events are often very useful to find issues with IAM permissions and other things but it's impossible browse and search easily using console. I'm an old-style sysadmin and I'd like to look and "grep" into them as text files. I'd liek to search for all "errors" or "all IAM access denied". Is there some simple tool?

asked 2 years ago600 views
3 Answers
0

I find Athena the best way to query CloudTrail logs. See the AWS Docs for how to set this up from the CloudTrail console: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html#create-cloudtrail-table-ct

profile pictureAWS
answered 2 years ago
  • I will try but I'm more comfortable with CLI tools, like AWS CLI, jq, grep, etc

0

If you are also outputting CloudTrail logs to cloudwatch logs, you can use log insights to search in a similar way to grep.

fields @timestamp, @message, @logStream, @log
| filter @message like /AccessDenied/
| sort @timestamp desc
| limit 20
profile picture
EXPERT
answered 2 years ago
0

Search only errors and output only chosen fields:

aws cloudtrail lookup-events --output text --region eu-central-1 --start-time 2023-03-21T09:00Z --end-time 2023-03-21T10:00Z --query 'Events[].CloudTrailEvent' | jq -r ' . | select(.errorCode != null) | [.eventTime,.eventID,.eventName,.errorCode,.errorMessage] | @csv'

in a fixed time interval.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions