0

I want to send logs data from my EC2 instance (Ubuntu) to an AWS eventbridge where I can then send them to multiple endpoints. e.g. if someone performs a root user operation on the server this is written to/var/log/auth.log, I would then like this change in the log to be sent to eventbridge where it can then be routed to other locations, how can achieve this?

cheers

N.B. I have tried using the cloudwatch agent but I can't figure how to get the logs to eventbridge once they're in a log group, so if there is a way I can this that would also work.

zenbeni
  • 7,019
  • 3
  • 29
  • 60
Ciaran
  • 451
  • 1
  • 4
  • 14

1 Answers1

2

I can't figure how to get the logs to eventbridge once they're in a log group, so if there is a way I can this that would also work.

Once your CloudWatch Agent writes relevant logs to CloudWatch logs, you can setup a subscription filter on your log group.

The filter would stream logs of interest (e.g. those that contain ssh) into a lambda function. How to set it up is shown in:

The lambda, using events api, e.g. in boto3, could process the log stream, filter out messages, construct events and publish them to the event bridge.

Marcin
  • 215,873
  • 14
  • 235
  • 294