POSTS

CloudWatch Logs Push

By Brian

In my last post I used the awslogs daemon to push tcpdump events to AWS CloudWatch logs.  At the time it felt silly to use a file on disk and a daemon to push events from an interactive session.  Well I had some time to dig and I found a much cleaner way to do it without the daemon.

It turns out that CloudWatch logs is implemented as a plugin to the AWS CLI.  The plugin can be configured to read from a file or you can simply pipe events directly yo it on the command line.

You need to register the plugin in your config file (~/.aws/config).  Mine looks like this. 
1
2
3
4
5
6

[plugins]
cwlogs = cwlogs
[default]
region = us-east-1
aws_access_key_id = XXXXXXXXXX
aws_secret_access_key = YYYYYYYYYY

Now you can simply pipe data to "aws logs push."  You need to specify the group stream and date format as parameters.  And, of course, the group and stream must already exist in AWS.  For example: 
1

sudo tcpdump -tttt port 80 | aws logs push --log-group-name NetworkTrace --log-stream-name i-125731f9 --datetime-format '%Y-%m-%d:%H:%M:%S.%f'
comments powered by Disqus