Cloudwatch Subscription Log

The CloudWatch Subscription Log Parser in Observo AI allows users to parse Cloudwatch subscription log events into structured JSON.

Purpose

The CloudWatch Subscription Log Parser is designed to reverse the consolidation of events collected through CloudWatch Subscription. It reverts these merged events back to their original format, ensuring that you can easily analyze and process them in a more structured and meaningful manner. This transform outputs a list of structured events from the single Cloudwatch Subscription Log event.

Usage

Select CloudWatch Subscription Log Parser transform. Add Name (required) and Description (optional).

General Configuration:

  • Bypass Transform: Defaults to disable. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.

  • Add Filter Conditions: Defaults to disable. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.

CloudWatch Subscription Log Parser: Enabled: Defaults to enabled, meaning it does evaluate all events. Toggle Enabled off to prevent event processing to feed data to the downstream Transforms.

Field Name: Field name to parse. This field contains the raw events. Default: message.

Example

Explode/Replace Original Field Content

Scenario: This configuration enables the Cloudwatch Subscription Parser transformation, and it will parse the "message" field in log data.

Cloudwatch Subscription Log Parser

Field Name

message

Input

{
  "host": "someone-mac.local",
  "logEvents": [
    {
      "id": "**********448",
      "message": "{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"6134a20d-7699-4311-bfe2-8eb8185a5dec\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/eks-certificates-controller\",\"verb\":\"update\",\"user\":{\"username\":\"eks:certificate-controller\",\"groups\":[\"system:authenticated\"]},\"sourceIPs\":[\"172.16.111.18\"],\"userAgent\":\"eks-certificates-controller/v0.0.0 (linux/amd64) kubernetes/$Format\",\"objectRef\":{\"resource\":\"leases\",\"namespace\":\"kube-system\",\"name\":\"eks-certificates-controller\",\"uid\":\"********\",\"apiGroup\":\"coordination.k8s.io\",\"apiVersion\":\"v1\",\"resourceVersion\":\"60536531\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2023-09-21T20:43:41.300753Z\",\"stageTimestamp\":\"2023-09-21T20:43:41.307971Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by RoleBinding \\\"eks:certificate-controller/kube-system\\\" of Role \\\"eks:certificate-controller\\\" to User \\\"eks:certificate-controller\\\"\"}}",
      "timestamp": 1695329022421
    },
    {
      "id": "*********451",
      "message": "{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"9acfbded-797a-4bc1-bca6-cf6e8eddbba3\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler?timeout=5s\",\"verb\":\"get\",\"user\":{\"username\":\"system:kube-scheduler\",\"groups\":[\"system:authenticated\"]},\"sourceIPs\":[\"172.16.111.18\"],\"userAgent\":\"kube-scheduler/v1.24.16 (linux/amd64) kubernetes/af930c1/leader-election\",\"objectRef\":{\"resource\":\"leases\",\"namespace\":\"kube-system\",\"name\":\"kube-scheduler\",\"apiGroup\":\"coordination.k8s.io\",\"apiVersion\":\"v1\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2023-09-21T20:43:42.331217Z\",\"stageTimestamp\":\"2023-09-21T20:43:42.338897Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kube-scheduler\\\" of ClusterRole \\\"system:kube-scheduler\\\" to User \\\"system:kube-scheduler\\\"\"}}",
      "timestamp": 1695329022421
    }, ...
  ],
  "logGroup": "/aws/eks/*****-prod-manager/cluster",
  "logStream": "kube-apiserver-audit-******",
  "messageType": "DATA_MESSAGE",
  "owner": "******",
  "source_type": "stdin",
  "subscriptionFilters": [
    "AllowAll"
  ],
  "timestamp": "2023-09-21T20:44:48.994Z"
}

Output

{
  "apiVersion": "audit.k8s.io/v1",
  "auditID": "6134a20d-7699-4311-bfe2-8eb8185a5dec",
  "id": "*********448",
  "kind": "Event",
  "level": "Metadata",
  ...
  "userAgent": "eks-certificates-controller/v0.0.0 (linux/amd64) kubernetes/$Format",
  "verb": "update"
}
{
  "apiVersion": "audit.k8s.io/v1",
  "auditID": "9acfbded-797a-4bc1-bca6-cf6e8eddbba3",
  "id": "*********451",
  "kind": "Event",
  "level": "Metadata",
  ...
  "userAgent": "kube-scheduler/v1.24.16 (linux/amd64) kubernetes/af930c1/leader-election",
  "verb": "get"
} ...

Results: The parsed data will explode and replace the original "message" field content.

Cloudwatch Subscription Log Parser Best Practices

To effectively utilize the CloudWatch Subscription Log Parser in Observo AI pipelines, follow these best practices to ensure accurate parsing, efficient event processing, and structured output for downstream analysis:

Field Parsing

  • Specify the Correct Field Name: Set the Field Name to the field containing the raw events, typically “message”, as this is the default field where CloudWatch Subscription Log events store serialized data. Ensure the specified field contains valid JSON data to avoid parsing errors.

  • Handle Nested JSON Structures: The parser is designed to extract and deserialize nested JSON from the specified field such as “message” within “logEvents”. Verify that the input field contains properly formatted JSON to ensure all nested fields are correctly exploded into structured events.

  • Replace Original Field Content: Configure the parser to explode and replace the original field content with structured JSON output. This ensures the output is a list of individual events, each containing fields like apiVersion, auditID, kind, etc., for easier querying and analysis.

Event Filtering

  • Use Filter Conditions for Targeted Processing: Enable Add Filter Conditions to process only relevant events, such as those from specific log groups or streams. Use AND/OR conditions with +Rule or +Group buttons to define precise filtering logic, reducing unnecessary processing and improving pipeline efficiency.

  • Bypass Non-Relevant Events: Leverage the Bypass Transform option to allow non-relevant events to pass through unmodified. This is useful when only a subset of CloudWatch Subscription Log events requires parsing, preserving other events for downstream transforms or when testing warrants bypass the transform.

Transform Configuration

  • Enable or Disable Processing: Keep the Enabled toggle set to true (default) to process all events, or toggle it off to prevent parsing and pass events directly to downstream transforms. Use this selectively to control which pipeline stages process CloudWatch Subscription Log data.

  • Provide Descriptive Names and Descriptions: Assign a clear Name (required) to the transform for easy identification in the pipeline. Add an optional Description to document the parser’s purpose, such as parsing Kubernetes audit logs from a specific CloudWatch log group, to improve maintainability.

Output Optimization

  • Ensure Structured JSON Output: The parser outputs a list of structured events, each with fields extracted from the raw message field such as auditID, verb, userAgent. Verify that the output fields align with downstream analysis requirements, such as SIEM ingestion or metric generation.

  • Validate Output for Completeness: Check that all relevant fields from the original event such as kind, apiVersion, responseStatus are preserved in the output. This ensures no critical data is lost during the parsing process, maintaining data integrity for subsequent processing.

Example Application

  • Scenario Example: When parsing Kubernetes audit logs from a CloudWatch Subscription Log, configure the parser to target the message field within logEvents. Apply filter conditions to process only events from a specific logGroup such as /aws/eks/prod-manager/cluster or with specific attributes such as verb=update. The parser will output structured JSON events, each containing fields like auditID, user, and requestURI, ready for analysis or correlation in SIEM systems.

By following these best practices, the CloudWatch Subscription Log Parser ensures accurate extraction and structuring of log events, optimizing them for efficient querying, analysis, and integration with downstream Observo AI pipeline components.

Related Functions

  • AWS VPC Flow Logs Parse: Parse AWS VPC Flow Logs to JSON, extracting and structuring the logs for streamlined analysis.

  • AWS ALB (Application Load Balancer) Parser : Extract, normalize, and structure log data from ALB access logs

PreviousCSVNextGrok

Last updated

Was this helpful?