Cloudwatch Loginsights handy queries¶

Squid Apache style logs¶

Find all requests matching URL

parse '* - * [*] "* * *" * * "*" "*" *_*:*' as host, identity, dateTimeString, httpVerb, url, protocol, statusCode, bytes, nothing1, clientid, proto, response, HierCode
| filter url like /(?i)(.www.example.com.*)/

Get count of denied requests by URL

parse '* - * [*] "* * *" * * "*" "*" *_*:*' as host, identity, dateTimeString, httpVerb, url, protocol, statusCode, bytes, nothing1, clientid, proto, response, HierCode
| filter (response='DENIED') | status count(*) by url

Cloudtrail logs¶

Who or what created an EC2 instance:

| sort @timestamp desc
| filter eventName = 'RunInstances'
| filter responseElements.instancesSet.items.0.instanceId = 'i-111111111111'

Comments

comments powered by Disqus

Cloudwatch Loginsights handy queries¶

Squid Apache style logs¶

Cloudtrail logs¶

Comments

Brent's Blog

26 November 2018

Navigation

Recent Posts

Categories

Tags

Archives