Collect Logs and Metrics for the Amazon SNS App
Collect Metrics for Amazon SNS
- Configure a Hosted Collector.
- Configure an Amazon CloudWatch Source for Metrics.
- Name. Enter a name to display for the new Source.
- Description. Enter an optional description.
- Regions. Select your Amazon Regions for SNS.
- Namespaces. Select AWS/SNS.
- Source Category. Enter a source category. For example, AWS/Metric/SNS.
- Access Key ID and Secret Access Key. Enter your Amazon Access Key ID and Secret Access Key.
- Scan Interval. Use the default of 5 minutes, or enter the frequency Sumo Logic will scan your CloudWatch Sources for new data.
- Click Save.
Collect Amazon SNS Events using CloudTrail
- To your Hosted Collector, add an AWS CloudTrail Source.
- Name. Enter a name to display for the new Source.
- Description. Enter an optional description.
- S3 Region. Select the Amazon Region for your SNS S3 bucket.
- Bucket Name. Enter the exact name of your SNS S3 bucket.
- Path Expression. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See Amazon Path Expressions.)
- Source Category. Enter a source category. For example, SNS_event.
- Access Key ID and Secret Access Key. Enter your Amazon Access Key ID and Secret Access Key.
- Scan Interval. Use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data.
- Enable Timestamp Parsing. Select the check box.
- Time Zone. Select Ignore time zone from log file and instead use, and select UTC.
- Timestamp Format. Select Automatically detect the format.
- Enable Multiline Processing. Select the check box, and select Infer Boundaries.
- Click Save.
Sample Log Message
{ "eventVersion":"1.05", "userIdentity":{ "type":"IAMUser", "principalId":"AIDAI1234567890YGJ2G6", "arn":"arn:aws:iam::123456789029:user/bsmith", "accountId":"123456789029", "accessKeyId":"ASI1234567890IHSAOIQ", "userName":"jjones", "sessionContext":{ "attributes":{ "mfaAuthenticated":"true", "creationDate":"2017-11-28T19:40:36Z" } }, "invokedBy":"signin.amazonaws.com" }, "eventTime":"2017-11-28T20:00:12Z", "eventSource":"sns.amazonaws.com", "eventName":"ListSubscriptions", "awsRegion":"us-west-2", "sourceIPAddress":"19.174.45.8", "userAgent":"signin.amazonaws.com", "requestParameters":{ "nextToken":"AAEzJd64uRw2jIyzrdc8CoZOzZf/BBe8pUtH40pvaIDLtw==" }, "responseElements":null, "requestID":"6b897eb7-d07c-5f07-8702-2c2012f086b1", "eventID":"dd0ea39f-c0c9-442d-b6b9-84c4f73ca038", "eventType":"AwsApiCall", "recipientAccountId":"123456789029" }
Query Sample
Top 10 users
_sourceCategory=*cloudtrail* "\"eventsource\":\"sns.amazonaws.com\""
| json "eventSource" nodrop
| json "eventName" nodrop
| json "awsRegion" nodrop
| json "sourceIPAddress" nodrop
| json "userIdentity.type" as type nodrop
| json "userIdentity.arn" as arn nodrop
| json "userIdentity.accountId" as accountId nodrop
| json "userIdentity.userName" as userName nodrop
| json "errorCode" nodrop
| where eventSource="sns.amazonaws.com"
| if (isEmpty(errorCode), "Success", "Failure") as eventStatus
| parse field=arn ":assumed-role/*" as user nodrop
| if (isEmpty(userName), user, userName) as user
| count as eventCount by user
| top 10 user by eventCount