Skip to main content
Sumo Logic

Collect Logs for the AWS Lambda App

See the steps to collect CloudWatch Lambda logs, and CloudTrail Lambda Data Events.

This page describes the data sources for the AWS Lambda app, and has instructions for setting up log and metric collection.

About collection for the AWS Lambda ULM App

The AWS Lambda App uses AWS CloudWatch Logs, CloudTrail Lambda Data Events, and AWS Lambda CloudWatch Metrics. The sections below describe how these the app leverages these data sources to provide insight into AWS Lambda.

AWS CloudWatch Logs

AWS Lambda monitors Lambda functions, and reports metrics through Amazon CloudWatch. Lambda then logs all requests handled by your function and stores logs through AWS CloudWatch Logs.

The Sumo Logic AWS Lambda App uses the Lambda logs via CloudWatch, CloudWatch Metrics and the CloudTrail Lambda Data Events to visualize the operational and performance trends in all the Lambda functions in your account. The preconfigured dashboards provide insights into executions, memory and duration (including cold start) usage by function versions or aliases, errors, billed duration, function callers, IAM users and threat details.

aws_lambda_app_diagram.png

CloudTrail Lambda Data Events

CloudTrail Lambda Data Events allow you to continuously monitor the execution activity of your Lambda functions, and to record details on when and by whom an Invoke API call was made. 

The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions invocation by Function name, version, AWS service, and threat details, by using the CloudTrail Lambda Data Events that capture and record the activities in your Lambda functions.

CTDE-Flow.png

AWS Lambda CloudWatch Metrics

AWS Lambda automatically monitors functions on your behalf, reporting AWS Lambda metrics through Amazon CloudWatch. These metrics are collected by our Hosted Collector by configuring Amazon CloudWatch source. 

The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions invocations, IteratorAge for stream-based invocations, Errors, Dead Letter Errors, Concurrent Executions, Unreserved Concurrent Executions, Duration, Throttles by Function and Time based Comparison. 

Collect Logs for the AWS Lambda ULM App

This section describes the log and metric data used by the AWS Lambda ULM app. 

Collect Amazon CloudWatch Logs

Sumo supports several methods for collecting Lambda logs from Amazon CloudWatch. 

  • You can configure collection of Amazon CloudWatch Logs using our AWS Lambda function using a Sumo-provided CloudFormation template, as described in Amazon CloudWatch Logs.
  • To configure collection without using CloudFormation, see Collect Amazon CloudWatch Logs using a Lambda Function
  • While configuring the cloud Watch log source, following Field can be added in the source:
    • Add an account field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. This name will appear in the Sumo Logic Explorer View. Logs can be queried via the “account field”.
    • Add a region field and assign it the value of the respective AWS region where the Application Load Balancer exists.
    • Add an accountId field and assign it the value of the respective AWS account id which is being used.

Collect CloudTrail Lambda Data Events

To configure a CloudTrail Source, perform these steps:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure DataEvents with CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. Add an AWS CloudTrail Source to Sumo Logic.
  5. While configuring the cloud trail log source, following Field can be added in the source:
    1. Add an account field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. This name will appear in the Sumo Logic Explorer View. Logs can be queried via the “account field”.

Collect Amazon CloudWatch Metrics

To collect Amazon CloudWatch Metrics, see Amazon CloudWatch Source For Metrics.

AWS Namespace tag to filter in source for Lambda will be - AWS/Lambda

  • Metadata: Add an account field to the source and assign it a value which is a friendly name / alias to your AWS account from which you are collecting metrics. This name will appear in the Sumo Logic Explorer View. Metrics can be queried via the “account field”.

Continue with the process of enabling Provisioned Concurrency configurations for Lambda functions, as necessary.

Enable Provisioned Concurrency configurations for Lambda functions

AWS Lambda provides Provisoned Concurrency for greater control over the start up time for Lambda functions. When enabled, Provisioned Concurrency keeps functions initialized and hyper-ready to respond in double-digit milliseconds. AWS Lambda provides additional metrics for provisioned concurrency with CloudWatch.

To collect these metrics in Sumo Logic, do the following:

  1. Complete Step.
  2. Configure Provisioned Concurrency while creating a Lambda function in the AWS Management console, as shown in the following example:

AWSLambda_PC_Configure.png

Once Provisioned Concurrency is enabled and you start collecting CloudWatch metrics, the following new metrics will be available:

Metric Description
ProvisionedConcurrentExecutions Concurrent Executions using Provisioned Concurrency
ProvisionedConcurrencyUtilization Fraction of Provisioned Concurrency in use
ProvisionedConcurrencyInvocations Number of Invocations using Provisioned Concurrency
ProvisionedConcurrencySpilloverInvocations Number of Invocations that are above Provisioned Concurrency

These metrics can then be queried using Sumo Logic Metrics queries, as shown in the following example:

AWSLambda_PC_Metircs_example.png

Field in Field Schema

Login to Sumo Logic,  go to Manage Data > Logs > Fields. Search for the “functionname” field. If not present, create it. Learn how to create and manage fields here.

Field Extraction Rule(s)

Create Field Extraction Rule for AWS Lambda. Learn how to create Field Extraction Rule here.

Cloud Trail FER

Rule Name: AwsObservabilityFieldExtractionRule
Applied at: Ingest Time
Scope (Specific Data): account=* eventname eventsource "lambda.amazonaws.com"

Parse Expression:

| json "eventSource", "awsRegion", "requestParameters", "recipientAccountId" as eventSource, region, requestParameters, accountid nodrop
| where eventSource = "lambda.amazonaws.com"
| json field=requestParameters "functionName", "resource" as functionname, resource nodrop
| parse regex field=functionname "\w+:\w+:\S+:[\w-]+:\S+:\S+:(?<functionname>[\S]+)$" nodrop
| parse field=resource "arn:aws:lambda:*:function:*" as f1, functionname2 nodrop
| if (isEmpty(functionname), functionname2, functionname) as functionname
| "aws/lambda" as namespace
| tolowercase(functionname) as functionname
| fields region, namespace, functionname, accountid

Centralized AWS CloudTrail Log Collection

In case you have a centralized collection of cloudtrail logs and are ingesting them from all accounts into a single Sumo Logic cloudtrail log source, create following Field Extraction Rule to map proper AWS account(s) friendly name / alias. Create it if not already present / update it as required.

Rule Name: AWS Accounts
Applied at: Ingest Time
Scope (Specific Data): _sourceCategory=<SourceCategory_of_CloudTrail_source_created_in_sumo>

Parse Expression:

Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “dev” alias for an AWS account with ID "528560886094" and the “prod” alias for an AWS account with ID "567680881046", your parse expression would look like:

| json "recipientAccountId"
// Manually map your aws account id with the AWS account alias you setup earlier for individual child account
| "" as account
| if (recipientAccountId = "528560886094",  "dev", account) as account
| if (recipientAccountId = "567680881046",  "prod", account) as account
| fields account

Cloud Watch FER

Rule Name: AwsObservabilityLambdaCloudWatchLogsFER
Applied at: Ingest Time
Scope (Specific Data): _sourceHost=/aws/lambda/*
Parse Expression:
| parse field=_sourceHost "/aws/lambda/*" as functionname
| tolowercase(functionname) as functionname
| "aws/lambda" as namespace
| fields functionname, namespace