Logstash cloudtrail plugin

piyush · December 14, 2017, 10:35pm

Hi Team,
I am forwarding aws cloudtrail logs to ES-5.5 and it is forwarded by logstash-5 (using cloudtrail plugin). While preparing visualizations, i realized that for some events "responseElements" field is not organized, it's in array format.

e.g.: i am expecting fields:
responseElements.ipAddressType
responseElements.vpcId

My question is, do i need to work on logstash to organized it more? --- i was assuming logstash-cloudtrail plugin would do this job.

e.g.: "eventName": "DescribeLoadBalancers"

below is not a complete response:

"responseElements": "{"loadBalancers": [{"ipAddressType": "ipv4", "vpcId": "vpc-1111111", "loadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:1111:loadbalancer/net/quuuuuuuulb/4ckkkkkkkk", "type": "network", "state": {"code": "active"}, "dNSName"`

Thanks & Regards...

warkolm · December 14, 2017, 10:43pm

Did you not get the answer you were after here - Kibana cloudtrail visualization?

piyush · December 14, 2017, 10:47pm

Sorry, but no.

The response element field is not formatted, so i can't see field like "responseElements.loadBalancers.ipAddressType"

That thread says:
So when you go to build a visualization you should see fields like responseElements.loadBalancers.ipAddressType in the field list.

system · January 11, 2018, 10:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.