Logs Insights

Querying CloudTrail Logs in Logs Insights

CloudWatch Logs Insights enables you to interactively search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes.

CloudWatch Logs Insights automatically discovers fields in logs from AWS services such as Amazon Route 53, AWS Lambda, AWS CloudTrail, and Amazon VPC, and any application or custom log that emits log events as JSON. In this lab exercise, we will query CloudTrail events CloudWatch Logs data with Insights and add it to a CloudWatch Dashboard.

  1. Go to the CloudWatch Dashboards
  2. Click Create dashboard
    • Give a dashboard name MyFirstDashboard
    • Click Create dashboard
  3. Select a widget type to configure: Logs table (Explore results from Logs Insights) and click Next
  4. From the drop down, select the CloudWatch Log Group created during the setup.

  5. In the query pane, enter the following query, which filters failed SignIn attempts to the AWS Account and also captures if MFA was used or not.

    filter eventSource="signin.amazonaws.com" and eventName="ConsoleLogin" and responseElements.ConsoleLogin="Failure"
| stats count(*) as Total_Count by sourceIPAddress as Source_IP, errorMessage as Reason, awsRegion as AWS_Region, userIdentity.arn as IAM_Arn, additionalEventData.MFAUsed as MFA_Used

  6. Click on Run Query to view results. Insights Query Returns

  7. Click on Create widget and you will see your first dashboard created. CloudWatch Dashboard

  8. Go to the CloudWatch Logs Insights Console

  9. From the drop down, select the CloudWatch Log Group created during the setup.

  10. In the query pane, enter the following query, which filters the AWS Regions, user names, and ARNs of newly created IAM users.

    filter eventName="CreateUser" | fields awsRegion, requestParameters.userName, responseElements.user.arn

  11. Click on Run Query to view results. CloudWatch Logs Insights New User Example

Note: The CloudWatch Logs Insights Console has a few sample queries to start with under Sample queries. Refer this document for more information.

End of Lab Exercises

Thank you for using this lab.