目标:设置一个Cloudformation堆栈,该堆栈使用一个日志组名称作为参数,每当新日志出现在该日志组中时,它们就被发送到Lambda函数进行处理,然后发送到Kinesis Firehose,然后将其发送给将文件记录到名为foobarbaz的存储桶中。
问题:Lambda函数永远不会被调用(Lambda的CloudWatch日志显示,即使在日志组中出现新数据之后,它也不会被触发)。由于我设置了SubscriptionFilter资源,因此调用应该自动发生。我没有看到任何错误。无论发生什么,似乎都在默默地失败。
注意:SubscriptionFilter上的FilterPattern已设置为空字符串。我的目的是将所有日志从日志组发送到Lambda函数。
这是我的Cloudformation模板:
Parameters:
LogGroupName:
Type: String
Description: The name of the log group who's logs we want to send to send to Lambda->Kinesis->S3
AuditTrailPrefix:
Type: String
Description: Log files will be sent to the Logging account S3 bucket with this prefix in the bucket path
Resources:
AuditTrailFunctionPermissions:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref AuditTrailFunction
Principal: logs.amazonaws.com
SourceAccount: !Ref AWS::AccountId
AuditTrailFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt AuditTrailFunctionRole.Arn
Code:
ZipFile: >
// do some stuff with the data and PUT it to KinesisFirehose
// removed for brevity
Runtime: nodejs8.10
Timeout: 30
AuditTrailFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyDocument:
Statement:
- Action:
- firehose:PutRecord
- firehose:PutRecordBatch
Effect: Allow
Resource: !Sub arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${AuditTrailDeliveryStream}
Version: '2012-10-17'
PolicyName: root
AuditTrailSubscription:
Type: AWS::Logs::SubscriptionFilter
DependsOn: AuditTrailFunctionPermissions
Properties:
DestinationArn: !GetAtt AuditTrailFunction.Arn
FilterPattern: ''
LogGroupName: !Ref LogGroupName
AuditTrailDeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamType: DirectPut
S3DestinationConfiguration:
BucketARN: arn:aws:s3:::foobarbaz
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 50
CompressionFormat: GZIP
Prefix: !Ref AuditTrailPrefix
RoleARN: !GetAtt DeliveryRole.Arn
DeliveryRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: firehose_delivery_policy
PolicyDocument:
Statement:
Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- arn:aws:s3:::foobarbaz
- arn:aws:s3:::foobarbaz/${AuditTrailPrefix}*
答案 0 :(得分:0)
我看不到任何错误,但以下是一些解决问题的提示:
仅当新日志上载到您的日志组时,才会调用Lambda函数。在设置订阅过滤器之前,不会为日志组中已经存在的数据调用它。
如果不是#1(即您要上传新数据),请转到CloudWatch-> Metrics并搜索日志组名称。您应该找到与您的订阅筛选器相关的4个指标:ForwardedBytes,ForwardedLogEvents,DeliveryErrors,DeliveryThrottling。有关说明,请参见this。如果DeliveryErrors或DeliveryThrottling指标大于0,则说明存在问题。
DeliveryErrors最可能的问题是权限问题。我没有发现您的问题,但这是我首先要仔细检查的问题。
您可以使用AWS CLI手动调试订阅设置。 (请参见this。)这可以帮助您找出是哪一部分设置可能导致了问题。
答案 1 :(得分:0)
我怀疑这是因为您的 RoleArn 资源中缺少 AuditTrailSubscription。没有它,Cloudwatch 无权执行您的 Lambda 函数。
这是 AWS::Logs::SubscriptionFilter 的文档页面 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-subscriptionfilter.html