Viewing and filtering captured CloudTrail Logs and Events

With the Trail created, you can now view the captured events and filter them using the event history option from the CloudTrail dashboard's navigation pane. Here, you can view the last 7 days of captured events, and even filter specific ones by using one or more supporting filter attributes.

Here's a quick look at the Filter attributes that you can use in conjunction with the Time range to extract the required events and logs:

  • Event ID: Each event captured by CloudTrail has a unique ID that you can filter and view.
  • Event name: The name of the event. For example, EC2 events RunInstances, DescribeInstances, and so on.
  • Event source: The AWS service to which the request was made. For example, iam.amazonaws.com or ec2.amazonaws.com.
  • Resource name: The name or ID of the resource referenced by the event. For example, a bucket named useast-prod-wordpress-code or an instance ID i-1234567 for an EC2 instance.
  • Resource type: The type of resource referenced by the event. For example, a resource type can be a Bucket for S3, an Instance for EC2, and so on.
  • User name: The name of the user that created or performed an action on the said event. For example, an IAM user logging into the AWS Management Console, and so on:

Once you have selected a particular filter and provided its associated attribute value, you can use the Time range to narrow your search results based on a predefined time window. To analyze further, you can select the View event option present in the details pane of an Event as well. Selecting this option will view the event in a JSON format, as shown in the following code:

{ 
    "eventVersion": "1.05", 
    "userIdentity": { 
        "type": "IAMUser", 
        "principalId": "AIDAIZZ25SDDZAQTF2K3I", 
        "arn": "arn:aws:iam::01234567890:user/yohan", 
        "accountId": "01234567890", 
        "accessKeyId": "ASDF56HJERW9PQRST", 
        "userName": "yohan", 
        "sessionContext": { 
            "attributes": { 
                "mfaAuthenticated": "false", 
                "creationDate": "2017-11-07T08:13:26Z" 
            } 
        }, 
        "invokedBy": "signin.amazonaws.com" 
    }, 
    "eventTime": "2017-11-07T08:25:32Z", 
    "eventSource": "s3.amazonaws.com", 
    "eventName": "CreateBucket", 
    "awsRegion": "us-east-1", 
    "sourceIPAddress": "80.82.129.191", 
    "userAgent": "signin.amazonaws.com", 
    "requestParameters": { 
        "bucketName": "sometempbucketname" 
    }, 
    "responseElements": null, 
    "requestID": "163A30A312B21AB2", 
    "eventID": "e7b7dff6-f196-4358-be64-aae1f5e7fed6", 
    "eventType": "AwsApiCall", 
    "recipientAccountId": "01234567890" 
}
You can additionally select the Download icon and select whether you wish to export all the logs using the Export to CSV or Export to JSON option.

You can alternatively even download the log files by accessing your CloudTrail S3 bucket and downloading the individual compressed JSON files, as per your requirements.

With this, we come towards the end of this section. You can use these same steps and create different Trails for capturing data as well as management activities. In the next section, we will see how we can leverage the AWS CLI and update our newly-created Trail.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset