Logs Insightsのメモ

Logs Insightsの使い方のメモ。

CloudTrailログ

CloudTrailログで特定のIAMロールが読んだAPIを確認する。

fields @timestamp, eventSource, eventName, @message
| filter @message like /eksctl-audit-bridge-addon-iamserviceaccount-Role1-1522OIC96C2M1/
| sort @timestamp desc
| limit 20

EKS のコントロールプレーンコンポーネントのフラグ確認

kube-controller-manager のフラグを確認する。

fields @timestamp, @message, @logStream, @log
| filter @logStream like "kube-controller-manager"
| filter @message like "FLAG"
| sort @timestamp desc

Podのログ

fluent-bitで収集した以下のような形式のログから、

{
    "log": "[2021/07/12 07:14:27] [ info] [output:cloudwatch_logs:cloudwatch_logs.2] Sent 2 events to CloudWatch\n",
    "stream": "stderr",
    "kubernetes": {
        "pod_name": "fluent-bit-2hx86",
        "namespace_name": "amazon-cloudwatch",
        "pod_id": "41e471dc-ec14-4bbe-bd83-8caecbb4de99",
        "host": "ip-10-2-115-196.ap-northeast-1.compute.internal",
        "container_name": "fluent-bit",
        "docker_id": "c23dcbc5d1fa4fdbca3b0ab5be549495553c2830b7518dec64c31a9249dbff80",
        "container_hash": "amazon/aws-for-fluent-bit@sha256:1d1519cec7815c9cd665c989d745697f0feb07f5c1c73c192548a6cf53250466",
        "container_image": "amazon/aws-for-fluent-bit:2.10.0"
    }
}

Pod名でフィルターしてログ本文だけみる。

fields @timestamp, log
| filter kubernetes.pod_name like "fluent-bit"
| sort @timestamp desc
| limit 20

CLI からの使い方

CLIから使ってみる。

start_time=$(gdate --date "1 hour ago" +%s)
end_time=$(gdate --date now +%s)
aws logs start-query \
  --log-group-name '/aws/containerinsights/falco/application' \
  --start-time ${start_time} \
  --end-time ${end_time} \
  --query-string 'fields @timestamp, log
| filter kubernetes.pod_name like "fluent-bit"
| sort @timestamp desc
| limit 20'
{
    "queryId": "2d8a1658-6b62-4db8-b687-99c8790d0161"
}
$ aws logs get-query-results --query-id "2d8a1658-6b62-4db8-b687-99c8790d0161"
{
    "results": [
        [
            {
                "field": "@timestamp",
                "value": "2021-07-12 07:40:12.600"
            },
            {
                "field": "log",
                "value": "[2021/07/12 07:40:12] [ info] [output:cloudwatch_logs:cloudwatch_logs.2] Sent 2 events to CloudWatch\n"
            },
            {
                "field": "@ptr",
                "value": "CnIKOQo1MTkwMTg5MzgyOTAwOi9hd3MvY29udGFpbmVyaW5zaWdodHMvZmFsY28vYXBwbGljYXRpb24QABI1GhgCBgJ8V/EAAAAEj2q/kgAGDr8WoAAAABIgASiirpzNqS8wuIujzakvOBJAkFhIlBlQ8hEQERgB"
            }
        ],
        [

(snip)

        ]
    ],
    "statistics": {
        "recordsMatched": 1970.0,
        "recordsScanned": 1994.0,
        "bytesScanned": 1253144.0
    },
    "status": "Complete"
}