如何在使用 AWS CloudTrail 处理库时获取 "resource name"
How to get the "resource name" while using the AWS CloudTrail processing library
我正在使用 AWS CloudTrail processing library 从 AWS 中提取 Cloudtrail 日志。在下面事件历史的屏幕截图图像中(取自 CloudTrail Web 控制台),受更改影响的存储桶的名称反映在列下方: Resource name 。如何使用 aws-cloudtrail-processing-library 检索相同的值。库 returns CloudTrail 保存日志文件的存储桶的名称,而不是受影响的存储桶(突出显示)。此外,即使从存储桶中下载日志后,我也看不到此信息。
这是我处理的片段 class:
public class AuditorCloudTrail {
public static void main(String[] args) throws InterruptedException {
final Log logger = LogFactory.getLog(AuditorCloudTrail.class);
final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
.withProgressReporter(new AuditorProgressReporter()).withEventFilter(new AuditorEventsFilter())
.withExceptionHandler(new AuditorExceptionHandler()).build();
executor.start();
// add shut down hook to gracefully stop executor (optional)
Runtime.getRuntime().addShutdownHook(new Thread() {
public void run() {
logger.info("Shut Down Hook is called.");
executor.stop();
}
});
// register a Default Uncaught Exception Handler (optional)
Thread.setDefaultUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
@Override
public void uncaughtException(Thread t, Throwable e) {
// Two options here:
// First, we can call System.exit(1); in such case shut down hook will be
// called.
// Second, we can optionally restart another executor and start.
final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
.withEventFilter(new AuditorEventsFilter())
.withProgressReporter(new AuditorProgressReporter())
.withExceptionHandler(new AuditorExceptionHandler()).build();
executor.start();
}
});
// can optionally limit running time, or remove both lines so it is running
// forever. (optional)
Thread.sleep(24 * 60 * 60 * 1000);
executor.stop();
}
以及过滤事件的方法:
public boolean filterEvent(CloudTrailEvent event) throws CallbackException {
CloudTrailEventData eventData = event.getEventData();
String eventSource = eventData.getEventSource();
try {
saveEvent(eventData);
} catch (InterruptedException e) {
e.printStackTrace();
}
return (eventSource.equals(IAM_EVENTS) ||
eventSource.equals(S3_EVENTS));
}
我将这个问题作为 issue on the AWS Cloudtrail processing engine's GitHub repository. The answer I received was that this feature is not supported at the moment using the processing engine. Therefore, the workaround was to use Logstash(requires cloudtrail plugin installation) to pull the cloudtrail logs into a mongodbserver from a pre-configured AWS s3 bucket as described here 打开,从中可以使用正常处理来提取所需的事件,包括所涉及的 resources。
我正在使用 AWS CloudTrail processing library 从 AWS 中提取 Cloudtrail 日志。在下面事件历史的屏幕截图图像中(取自 CloudTrail Web 控制台),受更改影响的存储桶的名称反映在列下方: Resource name 。如何使用 aws-cloudtrail-processing-library 检索相同的值。库 returns CloudTrail 保存日志文件的存储桶的名称,而不是受影响的存储桶(突出显示)。此外,即使从存储桶中下载日志后,我也看不到此信息。
这是我处理的片段 class:
public class AuditorCloudTrail {
public static void main(String[] args) throws InterruptedException {
final Log logger = LogFactory.getLog(AuditorCloudTrail.class);
final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
.withProgressReporter(new AuditorProgressReporter()).withEventFilter(new AuditorEventsFilter())
.withExceptionHandler(new AuditorExceptionHandler()).build();
executor.start();
// add shut down hook to gracefully stop executor (optional)
Runtime.getRuntime().addShutdownHook(new Thread() {
public void run() {
logger.info("Shut Down Hook is called.");
executor.stop();
}
});
// register a Default Uncaught Exception Handler (optional)
Thread.setDefaultUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
@Override
public void uncaughtException(Thread t, Throwable e) {
// Two options here:
// First, we can call System.exit(1); in such case shut down hook will be
// called.
// Second, we can optionally restart another executor and start.
final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
.withEventFilter(new AuditorEventsFilter())
.withProgressReporter(new AuditorProgressReporter())
.withExceptionHandler(new AuditorExceptionHandler()).build();
executor.start();
}
});
// can optionally limit running time, or remove both lines so it is running
// forever. (optional)
Thread.sleep(24 * 60 * 60 * 1000);
executor.stop();
}
以及过滤事件的方法:
public boolean filterEvent(CloudTrailEvent event) throws CallbackException {
CloudTrailEventData eventData = event.getEventData();
String eventSource = eventData.getEventSource();
try {
saveEvent(eventData);
} catch (InterruptedException e) {
e.printStackTrace();
}
return (eventSource.equals(IAM_EVENTS) ||
eventSource.equals(S3_EVENTS));
}
我将这个问题作为 issue on the AWS Cloudtrail processing engine's GitHub repository. The answer I received was that this feature is not supported at the moment using the processing engine. Therefore, the workaround was to use Logstash(requires cloudtrail plugin installation) to pull the cloudtrail logs into a mongodbserver from a pre-configured AWS s3 bucket as described here 打开,从中可以使用正常处理来提取所需的事件,包括所涉及的 resources。