CloudWatch Logs Insights enables you to interactively search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes.
CloudWatch Logs Insights automatically discovers fields in logs from AWS services such as Amazon Route 53, AWS Lambda, AWS CloudTrail, and Amazon VPC, and any application or custom log that emits log events as JSON. In this lab exercise, we will query CloudTrail events CloudWatch Logs data with Insights and add it to a CloudWatch Dashboard.
In the query pane, enter the following query, which filters failed SignIn attempts to the AWS Account and also captures if MFA was used or not.
filter eventSource="signin.amazonaws.com" and eventName="ConsoleLogin" and responseElements.ConsoleLogin="Failure"
| stats count(*) as Total_Count by sourceIPAddress as Source_IP, errorMessage as Reason, awsRegion as AWS_Region, userIdentity.arn as IAM_Arn, additionalEventData.MFAUsed as MFA_Used
Click on Run Query to view results.
Click on Create widget and you will see your first dashboard created.
Go to the CloudWatch Logs Insights Console
From the drop down, select the CloudWatch Log Group created during the setup.
In the query pane, enter the following query, which filters the AWS Regions, user names, and ARNs of newly created IAM users.
filter eventName="CreateUser" | fields awsRegion, requestParameters.userName, responseElements.user.arn
Click on Run Query to view results.
Note: The CloudWatch Logs Insights Console has a few sample queries to start with under Sample queries. Refer this document for more information.
End of Lab Exercises
Thank you for using this lab.