Cloudwatch Filters: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
(Created page with " http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html { $.mfaAuthenticated = "false" } { $.userIdentity.type != "AssumedRole" } { ( $.even...")
 
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 11: Line 11:


  { $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" }
  { $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" }
{ ( $.eventSource != "iam.amazonaws.com" ) && ( $.eventSource != "cloudtrail.amazonaws.com" ) && ( $.eventSource != "elasticfilesystem.amazonaws.com" ) && ( $.eventSource != "sts.amazonaws.com" ) && ( $.eventSource != "signin.amazonaws.com" ) && ( $.eventSource != "ec2.amazonaws.com" ) && ( $.eventSource != "logs.amazonaws.com" ) }
{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName != "DescribeInstanceStatus" ) && ( $.eventName != "DescribeVolumeStatus" ) && ( $.eventName != "DescribeAddresses" )}
{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName != "Describe*" ) && ( $.eventName != "Create*" ) && ( $.eventName != "Delete*" ) }
{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName = "StopInstances" ) }
{ ( $.eventName != "DescribeVolumeStatus" )  && ( $.eventName != "DescribeAddresses" ) && ( $.eventName != "DescribeAddresses" )}
someone messed with my ASG!!
{ $.eventName = "UpdateAutoScalingGroup" }
someone's messing with my EKS
{ ( $.objectRef.namespace = "kube-system" ) && ( $.Kind != "Event" ) && ( $.verb != "watch" ) }
filtering out other services:
{ ( $.eventSource != "logs.amazonaws.com" ) && ( $.eventSource != "sns.amazonaws.com" ) && ( $.eventSource != "ec2.amazonaws.com" ) && ( $.eventSource != "sts.amazonaws.com" )  }

Latest revision as of 13:33, 30 September 2019

http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html 

{ $.mfaAuthenticated = "false" }

{ $.userIdentity.type != "AssumedRole" }

{ ( $.eventSource != "iam.amazonaws.com" ) && ( $.eventSource != "cloudtrail.amazonaws.com" ) && ( $.eventSource != "elasticfilesystem.amazonaws.com" )}

{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName != "DescribeInstanceStatus" ) }

{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" }

{ ( $.eventSource != "iam.amazonaws.com" ) && ( $.eventSource != "cloudtrail.amazonaws.com" ) && ( $.eventSource != "elasticfilesystem.amazonaws.com" ) && ( $.eventSource != "sts.amazonaws.com" ) && ( $.eventSource != "signin.amazonaws.com" ) && ( $.eventSource != "ec2.amazonaws.com" ) && ( $.eventSource != "logs.amazonaws.com" ) }

{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName != "DescribeInstanceStatus" ) && ( $.eventName != "DescribeVolumeStatus" ) && ( $.eventName != "DescribeAddresses" )}

{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName != "Describe*" ) && ( $.eventName != "Create*" ) && ( $.eventName != "Delete*" ) }

{ ( $.eventSource = "ec2.amazonaws.com" ) && ( $.eventName = "StopInstances" ) }

{ ( $.eventName != "DescribeVolumeStatus" )  && ( $.eventName != "DescribeAddresses" ) && ( $.eventName != "DescribeAddresses" )}

someone messed with my ASG!! 

{ $.eventName = "UpdateAutoScalingGroup" }

someone's messing with my EKS 

{ ( $.objectRef.namespace = "kube-system" ) && ( $.Kind != "Event" ) && ( $.verb != "watch" ) }

filtering out other services: 

{ ( $.eventSource != "logs.amazonaws.com" ) && ( $.eventSource != "sns.amazonaws.com" ) && ( $.eventSource != "ec2.amazonaws.com" ) && ( $.eventSource != "sts.amazonaws.com" )  }
Retrieved from "https://wiki.quadratic.net/index.php?title=Cloudwatch_Filters&oldid=4505"