Skip to main content

AWS CloudTrail Logs

Log Type: AWS CloudTrail

Template Description: Parsing the common fields in your AWS CloudTrail log.

Sample Log:

"creationDate":"Wed Oct 23 14:36:48 UTC 2013",
"errorMessage":"User: arn:aws:iam::4574573938433:user/bsmith is not authorized to perform: iam:GetAccountPasswordPolicy",

Parsing Rule:

parse "eventSource\":\"*\"" as event_source
| parse "\"sourceIPAddress\":\"*\"" as source_ipaddress
| parse "\"eventName\":\"*\"" as event_name
| parse "awsRegion\":\"*\"" as aws_Region
| parse "\"userName\":\"*\"" as user

Resulting Fields:

event_sourceThe service that the request was made toIAM
source_ipaddressThe IP address that the request was made from34.87.4.6
event_nameThe requested action, which is one of the actions in the API for that serviceGetAccountPasswordPolicy
aws_RegionThe AWS region that the request was made tous-west-2
userThe friendly name of the identity that made the callbsmith


Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.