Collect Logs and Metrics for the Amazon SNS App

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Collect Metrics for Amazon SNS

Configure a Hosted Collector.
Configure an Amazon CloudWatch Source for Metrics.
1. Name. Enter a name to display for the new Source.
2. Description. Enter an optional description.
3. Regions. Select your Amazon Regions for SNS.
4. Namespaces. Select AWS/SNS.
5. Source Category. Enter a source category. For example, AWS/Metric/SNS.
6. Access Key ID and Secret Access Key. Enter your Amazon Access Key ID and Secret Access Key.
7. Scan Interval. Use the default of 5 minutes, or enter the frequency Sumo Logic will scan your CloudWatch Sources for new data.
Click Save.

Collect Amazon SNS Events using CloudTrail

To your Hosted Collector, add an AWS CloudTrail Source.
1. Name. Enter a name to display for the new Source.
2. Description. Enter an optional description.
3. S3 Region. Select the Amazon Region for your SNS S3 bucket.
4. Bucket Name. Enter the exact name of your SNS S3 bucket.
5. Path Expression. Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See Amazon Path Expressions.)
  The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression.
6. Source Category. Enter a source category. For example, SNS_event.
7. Access Key ID and Secret Access Key. Enter your Amazon Access Key ID and Secret Access Key.
8. Scan Interval. Use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data.
9. Enable Timestamp Parsing. Select the check box.
10. Time Zone. Select Ignore time zone from log file and instead use, and select UTC.
11. Timestamp Format. Select Automatically detect the format.
12. Enable Multiline Processing. Select the check box, and select Infer Boundaries.
Click Save.

Sample Log Message

{
   "eventVersion":"1.05",
   "userIdentity":{
      "type":"IAMUser",
      "principalId":"AIDAI1234567890YGJ2G6",
      "arn":"arn:aws:iam::123456789029:user/bsmith",
      "accountId":"123456789029",
      "accessKeyId":"ASI1234567890IHSAOIQ",
      "userName":"jjones",
      "sessionContext":{
         "attributes":{
            "mfaAuthenticated":"true",
            "creationDate":"2017-11-28T19:40:36Z"
         }
      },
      "invokedBy":"signin.amazonaws.com"
   },
   "eventTime":"2017-11-28T20:00:12Z",
   "eventSource":"sns.amazonaws.com",
   "eventName":"ListSubscriptions",
   "awsRegion":"us-west-2",
   "sourceIPAddress":"19.174.45.8",
   "userAgent":"signin.amazonaws.com",
   "requestParameters":{
      "nextToken":"AAEzJd64uRw2jIyzrdc8CoZOzZf/BBe8pUtH40pvaIDLtw=="
   },
   "responseElements":null,
   "requestID":"6b897eb7-d07c-5f07-8702-2c2012f086b1",
   "eventID":"dd0ea39f-c0c9-442d-b6b9-84c4f73ca038",
   "eventType":"AwsApiCall",
   "recipientAccountId":"123456789029"
}

Query Sample

Top 10 users

_sourceCategory=*cloudtrail* "\"eventsource\":\"sns.amazonaws.com\"" | json "eventSource" nodrop | json "eventName" nodrop | json "awsRegion" nodrop | json "sourceIPAddress" nodrop | json "userIdentity.type" as type nodrop | json "userIdentity.arn" as arn nodrop | json "userIdentity.accountId" as accountId nodrop | json "userIdentity.userName" as userName nodrop | json "errorCode" nodrop | where eventSource="sns.amazonaws.com" | if (isEmpty(errorCode), "Success", "Failure") as eventStatus | parse field=arn ":assumed-role/*" as user nodrop | if (isEmpty(userName), user, userName) as user | count as eventCount by user | top 10 user by eventCount