You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This integration is used to fetch logs from [Route 53](https://aws.amazon.com/route53/).
4
+
## Logs
5
+
6
+
### Public Hosted Zone Logs
7
+
8
+
The `route53_public_logs` dataset collects information about public DNS queries that Route 53 receives.
9
+
10
+
Query logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response without forwarding the query to Route 53 until the TTL for the corresponding record expires.
11
+
12
+
Depending on how many DNS queries are submitted for a domain name (example.com) or subdomain name (www.example.com), which resolvers your users are using, and the TTL for the record, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS resolvers.
13
+
14
+
See [Route 53 Documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html) for more information
15
+
16
+
{{event "route53_public_logs"}}
17
+
18
+
{{fields "route53_public_logs"}}
19
+
20
+
### Resolver Logs
21
+
22
+
The `route53_resolver_logs` dataset collects all DNS queries & responses for:
23
+
* Queries that originate in Amazon Virtual Private Cloud VPCs that you specify, as well as the responses to those DNS queries.
24
+
* Queries from on-premises resources that use an inbound Resolver endpoint.
25
+
* Queries that use an outbound Resolver endpoint for recursive DNS resolution.
26
+
* Queries that use Route 53 Resolver DNS Firewall rules to block, allow, or monitor domain lists.
27
+
28
+
As is standard for DNS resolvers, resolvers cache DNS queries for a length of time determined by the time-to-live (TTL) for the resolver. The Route 53 Resolver caches queries that originate in your VPCs, and responds from the cache whenever possible to speed up responses. Resolver query logging logs only unique queries, not queries that Resolver is able to respond to from the cache.
29
+
30
+
For example, suppose that an EC2 instance in one of the VPCs that a query logging configuration is logging queries for, submits a request for accounting.example.com. Resolver caches the response to that query, and logs the query. If the same instance’s elastic network interface makes a query for accounting.example.com within the TTL of the Resolver’s cache, Resolver responds to the query from the cache. The second query is not logged.
31
+
32
+
See [Route 53 Documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html) for more information
Copy file name to clipboardExpand all lines: packages/aws/data_stream/cloudtrail/manifest.yml
+106Lines changed: 106 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -193,3 +193,109 @@ streams:
193
193
type: bool
194
194
multi: false
195
195
default: false
196
+
- input: aws-cloudwatch
197
+
template_path: aws-cloudwatch.yml.hbs
198
+
title: AWS CloudTrail Logs
199
+
description: Collect AWS CloudTrail logs using cloudwatch input
200
+
enabled: false
201
+
vars:
202
+
- name: log_group_arn
203
+
type: text
204
+
title: Log Group ARN
205
+
multi: false
206
+
required: false
207
+
show_user: true
208
+
description: ARN of the log group to collect logs from.
209
+
- name: log_group_name
210
+
type: text
211
+
title: Log Group Name
212
+
multi: false
213
+
required: false
214
+
show_user: false
215
+
description: Name of the log group to collect logs from. `region_name` is required when `log_group_name` is given.
216
+
- name: log_group_name_prefix
217
+
type: text
218
+
title: Log Group Name Prefix
219
+
multi: false
220
+
required: false
221
+
show_user: false
222
+
description: The prefix for a group of log group names. `region_name` is required when `log_group_name_prefix` is given. `log_group_name` and `log_group_name_prefix` cannot be given at the same time.
223
+
- name: region_name
224
+
type: text
225
+
title: Region Name
226
+
multi: false
227
+
required: false
228
+
show_user: false
229
+
description: Region that the specified log group or log group prefix belongs to.
230
+
- name: log_streams
231
+
type: text
232
+
title: Log Streams
233
+
multi: true
234
+
required: false
235
+
show_user: false
236
+
description: A list of strings of log streams names that Filebeat collect log events from.
237
+
- name: log_streams_prefix
238
+
type: text
239
+
title: Log Stream Prefix
240
+
multi: false
241
+
required: false
242
+
show_user: false
243
+
description: A string to filter the results to include only log events from log streams that have names starting with this prefix.
244
+
- name: start_position
245
+
type: text
246
+
title: Start Position
247
+
multi: false
248
+
required: false
249
+
default: beginning
250
+
show_user: true
251
+
description: Allows user to specify if this input should read log files from the beginning or from the end.
252
+
- name: scan_frequency
253
+
type: text
254
+
title: Scan Frequency
255
+
multi: false
256
+
required: false
257
+
show_user: false
258
+
default: 1m
259
+
description: This config parameter sets how often Filebeat checks for new log events from the specified log group.
260
+
- name: api_timeput
261
+
type: text
262
+
title: API Timeout
263
+
multi: false
264
+
required: false
265
+
show_user: false
266
+
default: 120s
267
+
description: The maximum duration of AWS API can take. If it exceeds the timeout, AWS API will be interrupted.
268
+
- name: api_sleep
269
+
type: text
270
+
title: API Sleep
271
+
multi: false
272
+
required: false
273
+
show_user: false
274
+
default: 200ms
275
+
description: This is used to sleep between AWS FilterLogEvents API calls inside the same collection period. `FilterLogEvents` API has a quota of 5 transactions per second (TPS)/account/Region. This value should only be adjusted when there are multiple Filebeats or multiple Filebeat inputs collecting logs from the same region and AWS account.
276
+
- name: tags
277
+
type: text
278
+
title: Tags
279
+
multi: true
280
+
required: true
281
+
show_user: false
282
+
default:
283
+
- forwarded
284
+
- aws-cloudtrail
285
+
- name: processors
286
+
type: yaml
287
+
title: Processors
288
+
multi: false
289
+
required: false
290
+
show_user: false
291
+
description: >
292
+
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
293
+
294
+
- name: preserve_original_event
295
+
required: true
296
+
show_user: true
297
+
title: Preserve original event
298
+
description: Preserves a raw copy of the original event, added to the field `event.original`
0 commit comments