我们正在使用AWS Cloud Trail来检索数据(云跟踪事件)。我们使用了gem' aws-sdk-cloudtrail' (版本1.0)。根据Cloud Trail,我们可以检索最多50个结果(最新一次)。要获取之前(较旧的一次)结果,我们使用' next-token'在之前的回复中收到。我们执行此操作,直到我们获得一个空的' next-token'。当我们收到空令牌时,表示已检索到所有云踪迹数据。
例如: 假设Cloud Trail有100个登录的事件: 在第一个api调用中,我们收到了最新的50个结果以及令牌以检索下一个50(旧版50)。 在第二次api调用中,我们收到剩余的50个结果(较旧的结果)以及下一个标记为nil。这意味着无法获取更多结果。
在我们的案例中,我们将保存从本地数据库中收到的所有结果。我们会定期重复此操作。 当第二次这样做时(重复上面说明的过程),我们再次收到一些较新的和较少的旧结果。我们再次重复API调用,直到我们获得下一个令牌'没有。这导致接收在执行第一个循环时已经存储在数据库中的冗余数据。 有没有办法在第二个周期内只获得新记录的云跟踪事件。
答案 0 :(得分:2)
与@Vorsprung一样,您可以使用本地数据库中的最大事件日期时间。
以下是您的使用案例/问题的详细解决方案:
1. Query to your local database to check that cloudtrail data is present in the local database.
IF yes
// It means you have stored some data from cloudtrail before.
// And now you are going to do request to cloudtrail for new trail events.
// Note - At a time of the first request you don't have a token (i.e. next-token)
GOTO Step 3
ELSE
// It means you have not stored any data from cloudtrail before.
// And now you are going to do the first request to cloudtrail.
// Note - At a time of the first request you don't have a token (i.e. next-token)
GOTO Step 2
2. LOOP true
token = nil
IF token
// Send request to cloudtrail to get next bactch of latest cloudtrail events, now pass token(i.e. next-token) as parameter.
// Which will return the maximum latest 50 trail events.
// It will also return next-token if more cloudtrail events are remaining.
IF next-token
token = next-token
ELSE
BREAK LOOP;
END
ELSE
// Send request to cloudtrail to get the latest cloudtrail events.
// Which will return the maximum latest 50 trail events.
// It will also return next-token if more cloudtrail events are remaining.
IF next-token
token = next-token
ELSE
BREAK LOOP;
END
END
END
3. LOOP true
token = nil
start_date_time = max_trail_event_date_time_form_local_db
IF token
// Send request to cloudtrail to get next bactch of latest cloudtrail events, now pass token and start_date_time(i.e. next-token and max_event_date_time_form_local_db) as parameters.
// Which will return the maximum latest 50 events which are logged after start_date_time.
// It will also return next-token if more cloudtrail events are remaining.
IF next-token
token = next-token
ELSE
BREAK LOOP;
END
ELSE
// Send request to cloudtrail to get the latest cloudtrail events, now pass start_date_time(i.e. max_trail_event_date_time_form_local_db) as parameter.
// Which will return the maximum latest 50 events which are logged after start_date_time.
// It will also return next-token if more cloudtrail events are remaining.
IF next-token
token = next-token
ELSE
BREAK LOOP;
END
END
END
希望它会有所帮助。
答案 1 :(得分:0)
从本地数据库中选择最大日期,然后将其用作cloudtrail事件的开始日期
答案 2 :(得分:0)
你保存" NextToken"在本地数据库中,并在下次调用API时传递它。这是一个例子。
import boto3
cloudtrail = boto3.client('cloudtrail')
paginator = cloudtrail.get_paginator('lookup_events')
StartingToken = None
page_iterator = paginator.paginate(
LookupAttributes=[{'AttributeKey':'EventName','AttributeValue': 'RunInstances'}],
PaginationConfig={'PageSize':10, 'StartingToken':StartingToken })
for page in page_iterator:
for event in page["Events"]:
print(event["EventName"],event["EventTime"])
try:
token_file = open("token","w")
token_file.write(page["NextToken"])
StartingToken = page["NextToken"]
except KeyError:
exit()