我需要在cloudwatch上分析EC2日志。
将它们移动到某个地方(例如S3)没有问题,但是格式非常复杂。每个文件包含几个单元,其结构如下所示。这些单元中的每个单元都有一个包含许多事件的“ logEvents”列表。面临的挑战是解析事件的“消息”部分,以从中获取有意义的信息。
理想情况下,我想将下面的“ json”转换为具有列“ loGroup”,“ logStream”,“ timestamp”,“ securityID”,“ AccountName” ...等的关系格式。 关于如何做到这一点的任何想法?
{
"messageType": "DATA_MESSAGE",
"owner": "111111111111",
"logGroup": "loggroup-test",
"logStream": "i-stream",
"logEvents": [
{
"id": "34324324324324324324354354354354354354354354354354354354325",
"timestamp": 1541152802821,
"message": "[Security] [INFORMATION] [23213] [Microsoft-Windows-Security-Auditing] [A logon was attempted using explicit credentials.
Subject:
Security ID: XXXXX
Account Name: XXXXX$
Account Domain: XX
Logon ID: 0xXXX
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: XXXXXXX
Account Domain: XXX.XXXX
Logon GUID: {00000000-0000-0000-0000-000000000000}
(more info here...)
"-->end of the "message"
},
{
"another log event"
},
{
"another log event"
}
]
}