cloudtrail-log-processor

module
v0.0.0-...-4e65831 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2021 License: Apache-2.0

README

cloudtrail-log-processor

This project illustrates how you can process and filter cloudtrail logs using lambda to produce a clean feed for downstream processing systems.

Why

This project provides a simple way to operate both a detailed cloudtrail feed, and a filtered "clean" feed minus a lot of noise enabling use by SIEM products. It doesn't change the structure or format of data, it just filters entries based on a configuration.

Configuration

In the cloudformation is a block of YAML or if you prefer JSON which declares rules, these are evaluated as each cloudtrail entry file is processed, matches are dropped.

The configuration looks like this:

---
rules:
- name: check_kms
    matches:
    - field_name: eventName
    matches: ".*crypt"
    - field_name: eventSource
    matches: "kms.*"

The fields in cloudtrail which can used to filter records are:

  • eventName
  • eventSource
  • awsRegion
  • recipientAccountId

License

This application is released under Apache 2.0 license and is copyright Mark Wolfe.

Directories

Path Synopsis
cmd
filter-lambda command
internal
cloudtrailprocessor
flags
rules
slice
snsevents
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.