使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Duplicate events in batch of 50 while fetching audit data through LookupEvents API of CloudTrail.

0
  • Found that the duplication event occurred consecutively.
  • Parsed each batch of 50 audit events fetched from the LookupAPI of CloudTrail and checked the duplication with eventID and found that the duplication event came from AWS itself.
  • Also collected the audit logs and stored them in the file and found that only for us-east-1 the audit logs were duplicate. 
  • Created a script to find the duplication from collected logs and also find the same results.
  • The count of duplicate events differs every time. But whenever I tried to reproduce this bug found that every time the same events fetched were duplicated.
  • No pattern found for duplicate events except the event ids of the duplicate events are the same every time.
主題
管理與治理
標籤
AWS CloudTrail
語言
English
Parth Dadhaniya
已提問 1 年前檢視次數 433 次
1 個回答
0

Hi There

Do you have multiple CloudTrail Trails configured in different regions? If so, you could be seeing duplicates for global service events. Examples of global service events are AWS IAM, CloudFront, and AWS STS. If these are the types of duplicate events you are seeing, make sure you are not logging "Management Events" in multiple CloudTrails. See https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events for additional info.

profile pictureAWS
專家
Matt-B
已回答 1 年前
  • Parth Dadhaniya
    1 年前

    Thanks for this information. But I am fetching the audit logs which are generated before CloudTrail is created. For that purpose, I am using the LookupEvents API to fetch that logs. As per my knowledge, the creation of CloudTrail and the duplicate events doesn't relate to each other.

  • Matt-B 專家
    1 年前

    Can you post an example of a duplicate event?

  • Parth Dadhaniya
    1 年前

    Sure.

    {
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "QWERTYUIOPASDFGHJKLZXCV:1cefa620-1234-1234-1234-24bddba12345",
    "arn": "arn:aws:sts::012345678912:assumed-role/test-role/1cefa620-1234-1234-1234-24bddba12345",
    "accountId": "012345678912",
    "accessKeyId": "QWERTYUIOPASDFGHJKLZXC",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "QWERTYUIOPASDFGHJKLZXCV",
        "arn": "arn:aws:iam::012345678912:role/test-role",
        "accountId": "012345678912",
        "userName": "test-role"
      },
      "webIdFederationData": {
        
      },
      "attributes": {
        "creationDate": "2022-12-08T08:15:10Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2022-12-08T08:54:43Z",
  "eventSource": "cloudtrail.amazonaws.com",
  "eventName": "LookupEvents",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "123.123.123.123",
  "userAgent": "aws-sdk-java/2.17.201 Linux/3.10.0-1160.80.1.el7.x86_64 OpenJDK_64-Bit_Server_VM/17.0.2+8-LTS Java/17.0.2 vendor/Red_Hat__Inc. io/sync http/Apache cfg/retry-mode/legacy",
  "requestParameters": {
    "startTime": "Sep 9, 2022, 12:00:00 AM",
    "endTime": "Dec 8, 2022, 7:25:01 AM",
    "nextToken": "sNhgqKEs0ota607r7N/9sIrV2UdnOUs/1WWv/FTK1q/Mp6pFL4nm9olMGfiJOfh5t+9x7bxx23uh29du3hd93=="
  },
  "responseElements": null,
  "requestID": "5da63bf5-1234-1234-1234-b6b2bf2e114c",

    continue in following comment.

  • Parth Dadhaniya
    1 年前
      "eventID": "f72a6cf5-1234-1234-1234-1f5e135d0e88",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "012345678912",
  "eventCategory": "Management",
  "tlsDetails": {
    "tlsVersion": "TLSv1.2",
    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
  }
}
  • Parth Dadhaniya
    1 年前

    Hii there, any update from your side...?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容