I want to import aws cloudtrail eventTime through logstash

loanshark · April 28, 2021, 7:47am

I want to import aws cloudtrail eventTime through logstash. Works well but fails to get eventTime.

my logstash.conf

input {
  s3 {
    bucket => "xxxxx"
    prefix => "xxxxx"
    sincedb_path => "/etc/logstash/sincedb/cloudtrail"
    temporary_directory => "/etc/logstash/tmp"
    region => "xxxxx"
    type => "cloudtrail"
    codec => "cloudtrail"
  }
}

filter {
  if [type] == "cloudtrail" {
    mutate {
      gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
    }

    if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "secret_username" {
      drop {}
    }
  }

  date {
      match => ["eventTime", "ISO8601"]
  }
}

In Kibana, other tables can be checked, but eventTime cannot be found.

system · May 26, 2021, 7:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.