Skip to main content
Sumo Logic

Collect Logs and Metrics for AWS Lambda ULM

Instructions for configuring log collection for the Sumo Logic App for AWS Lambda ULM.

This page describes the data sources for the AWS Lambda ULM app, and has instructions for setting up log and metric collection.

About collection for AWS Lambda ULM

The AWS Lambda ULM app uses AWS CloudWatch Logs, CloudTrail Lambda Data Events, and AWS Lambda CloudWatch Metrics. The sections below describe how these the app leverages these data sources to provide insight into AWS Lambda.

AWS CloudWatch Logs

AWS Lambda monitors Lambda functions, and reports metrics through Amazon CloudWatch. Lambda then logs all requests handled by your function and stores logs through AWS CloudWatch Logs.

The Sumo Logic App for AWS Lambda ULM uses the Lambda logs via CloudWatch and visualizes operational and performance trends about all the Lambda functions in your account, providing insight into executions such as memory and duration usage, broken down by function versions or aliases.

CloudTrail Lambda Data Events

CloudTrail Lambda Data Events allow you to continuously monitor the execution activity of your Lambda functions, and to record details on when and by whom an Invoke API call was made. 

The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions invocation by Function name, version, AWS service, and threat details, by using the CloudTrail Lambda Data Events that capture and record the activities in your Lambda functions.

CTDE-Flow.png

AWS Lambda CloudWatch Metrics

AWS Lambda automatically monitors functions on your behalf, reporting AWS Lambda metrics through Amazon CloudWatch. These metrics are collected by our Hosted Collector by configuring Amazon CloudWatch source. 

The Sumo Logic App for AWS Lambda provide insights into the Lambda Functions invocations, IteratorAge for stream-based invocations, Errors, Dead Letter Errors, Concurrent Executions, Unreserved Concurrent Executions, Duration, Throttles by Function and Time based Comparison. 

Collect Logs for AWS Lambda ULM 

This section describes the log and metric data used by the AWS Lambda ULM app. 

Step 1. Collect Amazon CloudWatch Logs

Sumo supports several methods for collecting Lambda logs from Amazon CloudWatch. 

Step 2. Collect CloudTrail Lambda Data Events

To configure a CloudTrail Source, perform these steps:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure DataEvents with CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. Add an AWS CloudTrail Source to Sumo Logic.

Step 3. Collect Amazon CloudWatch Metrics

To collect Amazon CloudWatch Metrics, see Amazon CloudWatch Source For Metrics.

Sample Log Messages

Amazon CloudWatch Log

{"id":"32563142671071560797760688825700039436306340248688066573","timestamp":1511808906799,"message":"REPORT RequestId: cf75cfa3-fe16-11e5-9b16-e3e4c70845f2    Duration: 50.23 ms    Billed Duration: 100 ms     Memory Size: 128 MB    Max Memory Used: 24 MB    
","requestID":null,"logStream":"2017/11/27/[Prod]1108153ced144f8cbb161aef096218d1","logGroup":"/aws/lambda/AWSlambda1"}

CloudTrail Lambda Data Events

{
   "eventVersion":"1.06",
   "userIdentity":{
      "type":"IAMUser",
      "principalId":"AIDAJ45Q7YFFAREXAMPLE",
      "arn":"arn:aws:iam::111111111111:user/duc",
      "accountId":"111111111111",
      "accessKeyId":"AKIAIOSFODNN7EXAMPLE",
      "userName":"duc"
   },
   "eventTime":"2017-11-27T19:05:20.524Z",
   "eventSource":"lambda.amazonaws.com",
   "eventName":"Invoke",
   "awsRegion":"us-west-1",
   "sourceIPAddress":"155.14.186.236",
   "userAgent":"aws-cli/1.11.129 Python/2.7.8 botocore/1.5.92",
   "requestParameters":{
      "invocationType":"RequestResponse",
      "functionName":"arn:aws:lambda:us-west-1:111111111111:function:function237",
      "clientContext":"ew0KICAiB99udGV6lGtleSIgOiAiY29udGV4dHZhbEXAMPLE=="
   },
   "responseElements":null,
   "additionalEventData":{
      "functionVersion":"arn:aws:lambda:us-west-1:111111111111:function:function238:$LATEST"
   },
   "requestID":"e38fb262-8f45-11e7-9845-e5f2f205b110",
   "eventID":"277a6881-66f4-4f3e-ade5-ba76255b7d93",
   "readOnly":false,
   "resources":[
      {
         "accountId":"111111111111",
         "type":"AWS::Lambda::Function",
         "ARN":"arn:aws:lambda:us-west-1:111111111111:function:function239"
      }
   ],
   "eventType":"AwsApiCall",
   "managementEvent":false,
   "recipientAccountId":"111111111111"
}

Query Sample

Count of IAM users invoking CloudTrail Lambda function

_sourceCategory=cloudtrail/lambda "lambda.amazonaws.com" Invoke
| json field=_raw "eventName" as event_name
| json field=_raw "sourceIPAddress" as src_ip
| json field=_raw "requestParameters.functionName" as func_name nodrop
| json field=_raw "additionalEventData.functionVersion" as func_version nodrop
| parse regex field=func_name "\w+:\w+:\S+:[\w-]+:\S+:\S+:(?<function_name>[\S]+)$"
| parse regex field=func_version "\w+:\w+:\S+:[\w-]+:\S+:\S+:(?<function_version>[\S]+:[\S ]+)$" | json field=_raw "userAgent" as user_agent
| json field=_raw "userIdentity.type" as caller_type
| json field=_raw "userIdentity.invokedBy"as invoked_by nodrop
| json field=_raw "userIdentity.userName"as user_name nodrop
| if (isNull(user_name), invoked_by, user_name ) as caller
| if (isNull(invoked_by), user_name, invoked_by ) as caller
| where caller_type = "IAMUser"
| count by caller
| sort by _count

Maximum memory used in MB

_sourceCategory=aws_lambda/lambda*| json "message","logStream","logGroup"
| parse field=message "REPORT RequestId: *Duration: * ms\tBilled Duration: * ms \tMemory Size: * MB\tMax Memory Used: * MB" as RequestId, Duration,BilledDuration,MemorySize,MaxMemoryUsed 
| parse field=logstream "*/[*]*" as logstreamDate,version,logstreamID 
| parse field=loggroup "/aws/lambda/*" as function 
| timeslice 1h
| sum(MaxMemoryUsed) as MaxMemoryUsed by function, _timeslice
| sort by _timeslice