I'm trying to get the AWS Logs which is stored in the centralised S3 bucket. I configured the SQS to get the file and push it to the Elastic Cloud index.
I'm facing the below problems:
When I see the logs, each line from the log file is storing as a separate doc.
Getting a gzip invalid header error while uploading the WAF logs and CloudTrail
@ChrsMark Or can you give me a sample config file to get the log from S3 which contains the logs of cloudtrail, cloudfront, vpc flowlogs, cloudwatch and waf logs?
For Cloudtrail logs, they are in json format so expand_event_list_from_field is needed for decoding json.
Or you can use the cloudtrail fileset directly in Filebeat. You can run ./filebeat modules enable aws and then in modules.d/aws.yml you should see as section for cloudtrail logs.
How could I read the files which have the content type of application/octet-stream?
Because I'm streaming the CLoudWatch and WAFLogs using Firehose from multiple accounts to a common S3 bucket and it has the content type application/octet-stream.
And what are all the content-type which FileBeat will accept?
@Nithya Sorry for the late response! Right now S3 input in Filebeat reads files with bufio.NewReader unless content-type is application/x-gzip, then it uses gzip.NewReader instead. There is no special reader for application/octet-stream yet.
What error message do you see when you try config below?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.