-1

I'm developing a workflow in AWS. The scenario is: whenever I get a suspicious log entry in a log group like lot's of 403 errors. I want the instance to be isolated from the environment. Currently the flow is like this: Log group -> Metric filter -> Alarm -> Eventbridge Rule/ SNS -> Lambda. The problem is, to isolate the instance I need to pass the instance id to the lambda function either by SNS or through Eventbridge rule but nothing is working. The logs that are getting ingested have the instance id but how can I fetch that from the logs and send it to the lambda?

I tried it through SNS but for that the message should include the instance id in JSON which should look like this: { "instance_i": "i-xxxx" }

But not getting a way to do that. Same is through Eventbridge rule. How can I fetch the instance id and send it to the lambda function? Can you please help me with that?

Improve this question
3
  • 1
    There's no good way to do this. The middle part of your solution is a CloudWatch Alarm. That alarm does not get the log info, and has no idea what the actual log message is that caused it to be triggered, it only knows that a threshold was crossed and that it should be in an alarm state. So the log message itself is lost during the alarm triggering process. AWS provides an example solution here: github.com/awslabs/cloudwatch-logs-customize-alarms/blob/master/… where you can see they actually have the Lambda query the logs for a specific time period. Commented Dec 16, 2024 at 14:51
  • Do you have any other approach to achieve this? Commented Dec 17, 2024 at 13:55
  • Use the lambda to look through recent logs, and identify all instances with 403s above your specified threshold. Commented Dec 18, 2024 at 1:14

1 Answer 1

Reset to default
0

What about using a subscription filter in the log group (filtered by those 403 errors) that invokes your lambda? If the instance id is present in the log then it will be present in the lambda's event object.

Check:

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Then the Lambda will be triggered on every log event that matches the filter pattern i.e. with the very single 403 error?
That is correct.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.