By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Simple browse/search into CloudTrail events

0

Hi, CloudTrail events are often very useful to find issues with IAM permissions and other things but it's impossible browse and search easily using console. I'm an old-style sysadmin and I'd like to look and "grep" into them as text files. I'd liek to search for all "errors" or "all IAM access denied". Is there some simple tool?

Topics
Management & Governance
Tags
AWS CloudTrail
Language
English
rePost-User-7835478
asked a year ago441 views
3 Answers
0

I find Athena the best way to query CloudTrail logs. See the AWS Docs for how to set this up from the CloudTrail console: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html#create-cloudtrail-table-ct

profile pictureAWS
Peter Grainger
answered a year ago
  • rePost-User-7835478
    a year ago

    I will try but I'm more comfortable with CLI tools, like AWS CLI, jq, grep, etc

0

If you are also outputting CloudTrail logs to cloudwatch logs, you can use log insights to search in a similar way to grep.

fields @timestamp, @message, @logStream, @log
| filter @message like /AccessDenied/
| sort @timestamp desc
| limit 20
profile picture
EXPERT
Gary Mclean
answered a year ago
0

Search only errors and output only chosen fields:

aws cloudtrail lookup-events --output text --region eu-central-1 --start-time 2023-03-21T09:00Z --end-time 2023-03-21T10:00Z --query 'Events[].CloudTrailEvent' | jq -r ' . | select(.errorCode != null) | [.eventTime,.eventID,.eventName,.errorCode,.errorMessage] | @csv'

in a fixed time interval.

rePost-User-7835478
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content