ハンズオン(簡易版): CFnテンプレート入門(EC2::VolumeAttachment)

4.3. CloudWatch Logsログイベントの取得 (ログフィルター: /var/log/secure)

手順の目的 [why]

CloudWatch Logsロググループ"/var/log/secure"からログフィルターを利用してログイベントを取得します。

設定値の指定

設定値の指定

手順に必要な設定値を変数に格納をします。

0. リージョンの指定

リージョンを指定します。

環境変数の設定:

export AWS_DEFAULT_REGION='ap-northeast-1'

1. CloudWatch Logsロググループ名

CloudWatch Logsロググループ名を指定します。

変数の設定:

LOGS_GROUP_NAME='/var/log/secure'

2. ログイベント数

取得するログイベント数を指定します。

変数の設定:

LOGS_EVENT_MAX_ITEMS='23'

設定値の確認

各変数に正しい設定値が格納されていることを確認しながら保存します。

変数の確認:

cat << END

  # 0. AWS_DEFAULT_REGION:"ap-northeast-1"
       AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION}"

  # 1. LOGS_GROUP_NAME:"/var/log/secure"
       LOGS_GROUP_NAME="${LOGS_GROUP_NAME}"
  # 2. LOGS_EVENT_MAX_ITEMS:"23"
       LOGS_EVENT_MAX_ITEMS="${LOGS_EVENT_MAX_ITEMS}"

END

下段の変数が入っていない、もしくは上段と同等の値が入っていない場合は、それぞれの手順番号に戻って変数の設定を行います。

処理の実行

ログフィルターを利用してCloudWatch Logsログイベントを取得します。

変数の確認:

cat << END

  # LOGS_GROUP_NAME:"/var/log/secure"
    LOGS_GROUP_NAME="${LOGS_GROUP_NAME}"
  # LOGS_EVENT_MAX_ITEMS:"23"
    LOGS_EVENT_MAX_ITEMS="${LOGS_EVENT_MAX_ITEMS}"

END

コマンド:

aws logs filter-log-events \
  --log-group-name ${LOGS_GROUP_NAME} \
  --max-items ${LOGS_EVENT_MAX_ITEMS}

結果(例):

{
    "events": [
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: new group: name=ec2-user, GID=1000",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: new user: name=ec2-user, UID=1000, GID=1000, home=/home/ec2-user, shell=/bin/bash",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: add 'ec2-user' to group 'adm'",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: add 'ec2-user' to group 'wheel'",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: add 'ec2-user' to group 'systemd-journal'",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: add 'ec2-user' to shadow group 'adm'",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: add 'ec2-user' to shadow group 'wheel'",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:35 ip-10-0-3-9 useradd[2160]: add 'ec2-user' to shadow group 'systemd-journal'",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:36 ip-10-0-3-9 sshd[2340]: Server listening on 0.0.0.0 port 22.",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:36 ip-10-0-3-9 sshd[2340]: Server listening on :: port 22.",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:47 ip-10-0-3-9 sshd[2340]: Received signal 15; terminating.",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:47 ip-10-0-3-9 sshd[2390]: Server listening on 0.0.0.0 port 22022.",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:42:47 ip-10-0-3-9 sshd[2390]: Server listening on :: port 22022.",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:43:06 ip-10-0-3-9 groupadd[6511]: group added to /etc/group: name=cwagent, GID=993",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:43:06 ip-10-0-3-9 groupadd[6511]: group added to /etc/gshadow: name=cwagent",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333795357,
            "message": "Aug 19 00:43:06 ip-10-0-3-9 groupadd[6511]: new group: name=cwagent, GID=993",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629333800357,
            "message": "Aug 19 00:43:06 ip-10-0-3-9 useradd[6517]: new user: name=cwagent, UID=995, GID=993, home=/home/cwagent, shell=/sbin/nologin",
            "ingestionTime": 1629333810723,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629334650559,
            "message": "Aug 19 00:57:30 ip-10-0-3-9 sshd[6660]: error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys ec2-user SHA256:ph97aJZukd3+FG8Z/1wQ378zWQ3HpSUPDFvAPK5Z5QE failed, status 22",
            "ingestionTime": 1629334665592,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629334650559,
            "message": "Aug 19 00:57:30 ip-10-0-3-9 sshd[6660]: Accepted publickey for ec2-user from 13.231.219.193 port 51278 ssh2: RSA SHA256:ph97aJZukd3+FG8Z/1wQ378zWQ3HpSUPDFvAPK5Z5QE",
            "ingestionTime": 1629334665592,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629334655357,
            "message": "Aug 19 00:57:30 ip-10-0-3-9 sshd[6660]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)",
            "ingestionTime": 1629334665592,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629334663315,
            "message": "Aug 19 00:57:43 ip-10-0-3-9 sshd[6679]: Received disconnect from 13.231.219.193 port 51278:11: disconnected by user",
            "ingestionTime": 1629334665592,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629334663315,
            "message": "Aug 19 00:57:43 ip-10-0-3-9 sshd[6679]: Disconnected from 13.231.219.193 port 51278",
            "ingestionTime": 1629334665592,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        },
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "timestamp": 1629334667357,
            "message": "Aug 19 00:57:43 ip-10-0-3-9 sshd[6660]: pam_unix(sshd:session): session closed for user ec2-user",
            "ingestionTime": 1629334682549,
            "eventId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        }
    ],
    "searchedLogStreams": [
        {
            "logStreamName": "i-xxxxxxxxxxxxxxxxx",
            "searchedCompletely": true
        }
    ]
}

完了確認

「CloudWatch Logsロググループ"/var/log/secure"にログイベントが存在する。」ことを確認します。

注釈

主処理で取得できていればOKです。

手順の完了