I want to import aws cloudtrail eventTime through logstash

loanshark · April 28, 2021, 7:47am

I want to import aws cloudtrail eventTime through logstash. Works well but fails to get eventTime.

my logstash.conf

input {
  s3 {
    bucket => "xxxxx"
    prefix => "xxxxx"
    sincedb_path => "/etc/logstash/sincedb/cloudtrail"
    temporary_directory => "/etc/logstash/tmp"
    region => "xxxxx"
    type => "cloudtrail"
    codec => "cloudtrail"
  }
}

filter {
  if [type] == "cloudtrail" {
    mutate {
      gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
    }

    if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "secret_username" {
      drop {}
    }
  }

  date {
      match => ["eventTime", "ISO8601"]
  }
}

In Kibana, other tables can be checked, but eventTime cannot be found.

system · May 26, 2021, 7:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash with Cloudtrail Logstash	2	1404	March 21, 2017
Cloudtrail to Logstash automatic roll over on prefix date Logstash	1	228	September 1, 2021
Cloudtrail import on ELK Logstash	3	676	September 3, 2018
Cloudtrail log to Logstash Logstash	2	345	October 8, 2019
Cloudtrail logs parsing with logstash Logstash	2	2049	March 21, 2017

I want to import aws cloudtrail eventTime through logstash

Related topics