1

I have configured an Alarm on CloudTrail events. The metric of the alarm is to trigger it when it finds the information in the logs that an instance is terminated. The information sends a message to an SNS topic which in turn calls SQS.

It is all working as of now. However, when I read SQS I can only see the information of the alarm, but I would like to obtain details of the instance that got terminated. For example, below is what I see: 

{
  "Type" : "Notification",
  "MessageId" : "1744f315-1042-5248-99a8-bd637aac7da4",
  "TopicArn" : "arn:aws:sns:us-east-1:873150696559:chefterm",
  "Subject" : "ALARM: \"terminatedchefnodes\" in US - N. Virginia",
  "Message" : "{\"AlarmName\":\"terminatedchefnodes\",\"AlarmDescription\":\"terminatedchefnodes\",\"AWSAccountId\":\"873150696559\",\"NewStateValue\":\"ALARM\",\"NewStateReason\":\"Threshold Crossed: 1 datapoint (1.0) was greater than the threshold (0.0).\",\"StateChangeTime\":\"2015-09-18T19:40:30.459+0000\",\"Region\":\"US - N. Virginia\",\"OldStateValue\":\"INSUFFICIENT_DATA\",\"Trigger\":{\"MetricName\":\"TestChefMetric\",\"Namespace\":\"CloudTrailMetrics\",\"Statistic\":\"AVERAGE\",\"Unit\":null,\"Dimensions\":[],\"Period\":900,\"EvaluationPeriods\":1,\"ComparisonOperator\":\"GreaterThanThreshold\",\"Threshold\":0.0}}",
  "Timestamp" : "2015-09-18T19:40:30.506Z",
  "SignatureVersion" : "1",
  "Signature" : "XpE8xR8S8sZPW0Yp642c2lpfiqP9qpXg1w8HCiD4YyWLRyHaQSR5RfSBk7yANJOtApw2nIUGRgpWzBE0j5RkfW4cvRrEcRLudAqO2N5QhCJfjvl48/AxWh1qmDiyrHmr0sTpSTg4zPbMQUs7nDRrW1QwQ6cqy04PTNJuZfBNfAXBlJNCkmeyJ8+klq6edmDijMy6M4D8kAUQ+trmTqTO29/jvT0+yOtBWBIOwiRDHxRfNIJ2vOWz8mjvyU43YDYZD1AG3hDBuSbs7li/8jkY7arsK2R5mDBhYI+o/w8D/W7qdBOGJlby1umVHX4mLQBwuOdLmSxN0P34cG9feuqdlg==",
  "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-bb750dd426d95ee9390147a5624348ee.pem",
  "UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:873150696559:chefterm:467b007c-bb58-4ad6-b05b-ccd159c0515d"
}

But I instead I want to see the instance id information which was there in the CloudTrail logs : CloudTrail logs

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Ishu Gupta
  • 1,071
  • 1
  • 19
  • 43
  • Probably not possible, since CloudTrail streams data to CloudWatch Logs. CloudWatchLogs then generates a metric in CloudWatch. This can then trigger an Alarm, which sends a notification to SNS, which sends a message to SQS. Unfortunately, the instance information is not stored in the CloudWatch metric, so it can't be passed to the next process. Closest option is to configure Auto Scaling to send a notification when an instance is terminated, but that probably doesn't match your use-case. – John Rotenstein Sep 19 '15 at 01:07
  • @john can you thinknof anyother way of doing it ? – Ishu Gupta Sep 19 '15 at 19:16
  • I basically need to know the information of nodes terminated automatically – Ishu Gupta Sep 19 '15 at 19:16

1 Answers1

1

AWS CloudTrail delivers log files to your Amazon S3 bucket approximately every 5 minutes. The delivery of these files can then be used to 'trigger' some code that checks whether a certain activity has occurred. And a good way to run this code is AWS Lambda.

The basic flow is:

  1. AWS CloudTrail creates a log file in Amazon S3
  2. This triggers a call to AWS Lambda, with custom code that can determine whether the event is of interest
  3. The custom code can send publish a message to Amazon SNS, which can deliver a message via email, HTTP, etc

Workflow to trigger a notification from CloudTrail

Here are two articles that describe such a setup:

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470