Cloudwatch Loginsights handy queriesΒΆ
Squid Apache style logsΒΆ
Find all requests matching URL
parse '* - * [*] "* * *" * * "*" "*" *_*:*' as host, identity, dateTimeString, httpVerb, url, protocol, statusCode, bytes, nothing1, clientid, proto, response, HierCode
| filter url like /(?i)(.www.example.com.*)/
Get count of denied requests by URL
parse '* - * [*] "* * *" * * "*" "*" *_*:*' as host, identity, dateTimeString, httpVerb, url, protocol, statusCode, bytes, nothing1, clientid, proto, response, HierCode
| filter (response='DENIED') | status count(*) by url
Cloudtrail logsΒΆ
Who or what created an EC2 instance:
| sort @timestamp desc
| filter eventName = 'RunInstances'
| filter responseElements.instancesSet.items.0.instanceId = 'i-111111111111'
Comments
comments powered by Disqus