0

I am using the AWS CloudTrail processing library to pull Cloudtrail logs from AWS. In the screenshot image of event history below (taken from the CloudTrail web console), the name of the bucket affected by a change is reflected under the column: Resource name . How can I retrieve this same value using the aws-cloudtrail-processing-library. The library returns the name of the bucket where CloudTrail saves the log files and not the affected bucket (highlighted). Also, even after downloading the logs from the bucket, I do not see this information.

enter image description here

Here is the snippet of my processing class:

public class AuditorCloudTrail {


public static void main(String[] args) throws InterruptedException {
    final Log logger = LogFactory.getLog(AuditorCloudTrail.class);



    final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
            new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
                    .withProgressReporter(new AuditorProgressReporter()).withEventFilter(new AuditorEventsFilter())
                    .withExceptionHandler(new AuditorExceptionHandler()).build();
    executor.start();

    // add shut down hook to gracefully stop executor (optional)
    Runtime.getRuntime().addShutdownHook(new Thread() {
        public void run() {
            logger.info("Shut Down Hook is called.");
            executor.stop();
        }
    });

    // register a Default Uncaught Exception Handler (optional)
    Thread.setDefaultUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
        @Override
        public void uncaughtException(Thread t, Throwable e) {

            // Two options here:
            // First, we can call System.exit(1); in such case shut down hook will be
            // called.
            // Second, we can optionally restart another executor and start.
            final AWSCloudTrailProcessingExecutor executor = new AWSCloudTrailProcessingExecutor.Builder(
                    new AuditorEventsProcessor(), new AuditorCloudTrailConfig()).withSourceFilter(new AuditorSourceFilter())
                            .withEventFilter(new AuditorEventsFilter())
                            .withProgressReporter(new AuditorProgressReporter())
                            .withExceptionHandler(new AuditorExceptionHandler()).build();
            executor.start();

        }
    });

    // can optionally limit running time, or remove both lines so it is running
    // forever. (optional)
    Thread.sleep(24 * 60 * 60 * 1000);
    executor.stop();
}

and the method that filters events:

   public boolean filterEvent(CloudTrailEvent event) throws CallbackException {
    CloudTrailEventData eventData = event.getEventData();    

    String eventSource = eventData.getEventSource();    

    try {
        saveEvent(eventData);
    } catch (InterruptedException e) {
        e.printStackTrace();
    }

    return (eventSource.equals(IAM_EVENTS) || 
   eventSource.equals(S3_EVENTS));
}
SyCode
  • 1,077
  • 4
  • 22
  • 33

1 Answers1

0

I opened this question as an issue on the AWS Cloudtrail processing engine's GitHub repository. The answer I received was that this feature is not supported at the moment using the processing engine. Therefore, the workaround was to use Logstash(requires cloudtrail plugin installation) to pull the cloudtrail logs into a mongodbserver from a pre-configured AWS s3 bucket as described here, from where normal processing can be used to extract the desired events including the resources involved.

SyCode
  • 1,077
  • 4
  • 22
  • 33