-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(lambda-promtail): Adding S3 log parser support for AWS GuardDuty #13148
feat(lambda-promtail): Adding S3 log parser support for AWS GuardDuty #13148
Conversation
c11321f
to
7d810f4
Compare
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
7d810f4
to
f26c354
Compare
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
Bump, any update on this? GuardDuty findings support would be great to have! edit: I've made a fork and applied this patch, so far it looks good and guardduty logs in loki seems to be fine! Ruler also does not complain. I can step in and fix issues in the comments - would that be ok and have chances to be merged? |
I've noticed that for some logs, wrong timestamp is being used - in our case Reading the code I see promtail is already aware of such behaviour but for CloudTrail logs, I've added this parser for GuardDuty log types and so far it looks ok. diff --git a/tools/lambda-promtail/lambda-promtail/s3.go b/tools/lambda-promtail/lambda-promtail/s3.go
index 1ddac3500..c4fdd21ca 100644
--- a/tools/lambda-promtail/lambda-promtail/s3.go
+++ b/tools/lambda-promtail/lambda-promtail/s3.go
@@ -179,7 +179,7 @@ func parseS3Log(ctx context.Context, b *batch, labels map[string]string, obj io.
ls = applyLabels(ls)
// extract the timestamp of the nested event and sends the rest as raw json
- if labels["type"] == CLOUDTRAIL_LOG_TYPE {
+ if labels["type"] == CLOUDTRAIL_LOG_TYPE || labels["type"] == GUARDDUTY_LOG_TYPE {
records := make(chan Record)
jsonStream := NewJSONStream(records)
go jsonStream.Start(gzreader, parser.skipHeaderCount)
(END) looks like quick fix for now - FYI. |
That would be great. Please do. I created a fork and used it and then had to prioritize other work. But would love this to get merged |
@samuelebstein it looks like @evilr00t has an additional fix we should add in as well? after that I think we're probably good to go |
I think you might need to also rebase on main to get CI to run properly |
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
84e7c52
to
f26c354
Compare
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
f26c354
to
48349c4
Compare
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
48349c4
to
a8aa4b2
Compare
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>ase enter the commit message for your changes. Lines starting
a8aa4b2
to
a0348bc
Compare
…na#13148) Co-authored-by: James Callahan <https://github.com/james-callahan>
a0348bc
to
525a3bf
Compare
@cstyan all comments resolved. Feel free to merge now! |
@samuelebstein in the future please try and avoid force pushing during reviews, it makes it harder to see what has changed since the last review |
Sorry guys for being silent, didn't notice your conversation! Kudos on getting this merged, will check that soon! |
This pull request introduces the following changes to the lambda-promtail module:
Adding Terraform Variable:
Adding GuardDuty Log Type:
Which issue(s) this PR fixes:
Fixes # #13129
Why this PR is needed
Checklist
Upgrading Steps
If these changes affect the default configuration, metrics names, log lines used in dashboards or alerts, configuration parameters, or API endpoints, please document what has changed and what needs to be done in the upgrade guide.
Please review the changes and let me know if there are any questions or concerns. Thank you!