0

How locate a specific request in AWS, cloudtrail or cloudwatch?

Request on 2022-11-17T17:07:52.037Z
General:
Request URL: https://0712f1246-1104-y-https-www-abc-com.mplbci.ekb.eg/access
HTTP Version: HTTP/1.1
Request method: GET
Remote Address: 195.41.20.252

I am looking for a full set of headers and values, especially the X-Forwarded-For list of IPs that came with the original request, before hitting out systems.

I tried using the Athena query, but I did not get the result

SELECT * FROM cloudtrail_logs_abc_cloudtrails
WHERE sourceipaddress= '195.41.20.252'


SELECT *
FROM cloudtrail_logs_abc_cloudtrails
where eventsource='https://0712f1246-1104-y-https-www-abc-com.mplbci.ekb.eg/access'
limit 100

could anyone suggest me what is the best way to find it , any help would be apricateed .

sam23
  • 49
  • 1
  • 5
  • AWS doesn't keep all the headers and such for requests automatically, that would require a lot of storage and would mostly be wasted. CloudTrail logs keep some basic information. If you want that information you'll need to configure logging in your web server. – Tim Nov 21 '22 at 19:11
  • Original client request in the question which probably won't show in AWS the same way. It probably comes from a referrer, I'm looking for access logs coming from that server, going to /access page on abc.com, with all headers. – sam23 Nov 22 '22 at 00:56
  • You'll have to configure them on your web server if you want them. – Tim Nov 22 '22 at 01:01
  • The web server logging is configured, but no logs are being generated against the query. do I need to expand the search result ? – sam23 Nov 22 '22 at 04:10
  • I'd be looking in the web server logs directly to start with, to confirm logging is working. Once that's done you can confirm the logs have made it to S3 or CloudWatch logs, wherever you're sending them. Find the data, follow the data. – Tim Nov 22 '22 at 08:25

0 Answers0