AWS Cloudwatch Logs Subscription Parser
Parse logs from AWS Cloudwatch Logs
egress: batch
state: stateless
output: log
status: deprecated
Parses AWS CloudWatch Logs events (configured through AWS Cloudwatch
subscriptions) coming from the
aws_kinesis_firehose source.Warnings
This transform has been deprecated in favor of the remap
transform, which enables you to use Vector Remap Language (VRL for short) to
create transform logic of any degree of complexity. The examples below show how you can use VRL to
replace this transform’s functionality.
.message = parse_aws_cloudwatch_log_subscription_message(.message)
Configuration
Example configurations
{
"transforms": {
"my_transform_id": {
"type": "aws_cloudwatch_logs_subscription_parser",
"inputs": [
"my-source-or-transform-id"
],
"field": "message"
}
}
}[transforms.my_transform_id]
type = "aws_cloudwatch_logs_subscription_parser"
inputs = [ "my-source-or-transform-id" ]
field = "message"
---
transforms:
my_transform_id:
type: aws_cloudwatch_logs_subscription_parser
inputs:
- my-source-or-transform-id
field: message
{
"transforms": {
"my_transform_id": {
"type": "aws_cloudwatch_logs_subscription_parser",
"inputs": [
"my-source-or-transform-id"
],
"field": "message"
}
}
}[transforms.my_transform_id]
type = "aws_cloudwatch_logs_subscription_parser"
inputs = [ "my-source-or-transform-id" ]
field = "message"
---
transforms:
my_transform_id:
type: aws_cloudwatch_logs_subscription_parser
inputs:
- my-source-or-transform-id
field: message
field
common optional string literalThe log field to decode as an AWS CloudWatch Logs Subscription JSON event. The field must hold a string value.
default:
messageinputs
required [string]A list of upstream source or transform
IDs. Wildcards (*) are supported.
See configuration for more info.
Output
Logs
Line
One event will be published per log event in the subscription message.
id
required
string
literal
The CloudWatch Logs event id.
Examples
35683658089614582423604394983260738922885519999578275840log_group
required
string
literal
The log group the event came from.
Examples
/lambda/testlog_stream
required
string
literal
The log stream the event came from.
Examples
2020/03/24/[$LATEST]794dbaf40a7846c4984ad80ebf110544message
required
string
literal
The body of the log event.
Examples
hello{"key": "value"}owner
required
string
literal
The ID of the AWS account the logs came from.
Examples
111111111111subscription_filters
required
[string]
The list of subscription filter names that the logs were sent by.
timestamp
required
timestamp
The timestamp of the log event.
Examples
2020-10-10T17:07:36.452332ZTelemetry
Metrics
linkcomponent_received_event_bytes_total
counterThe number of event bytes accepted by this component either from
tagged origins like file and uri, or cumulatively from other origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the event originates.
file
optional
The file from which the event originates.
host
required
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the event originates.
peer_path
optional
The pathname from which the event originates.
pid
required
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the event originates.
uri
optional
The sanitized URI from which the event originates.
component_received_events_total
counterThe number of events accepted by this component either from tagged
origins like file and uri, or cumulatively from other origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the event originates.
file
optional
The file from which the event originates.
host
required
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the event originates.
peer_path
optional
The pathname from which the event originates.
pid
required
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the event originates.
uri
optional
The sanitized URI from which the event originates.
component_sent_event_bytes_total
counterThe total number of event bytes emitted by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
required
The hostname of the system Vector is running on.
pid
required
The process ID of the Vector instance.
component_sent_events_total
counterThe total number of events emitted by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
required
The hostname of the system Vector is running on.
pid
required
The process ID of the Vector instance.
events_in_total
counterThe number of events accepted by this component either from tagged
origins like file and uri, or cumulatively from other origins.
This metric is deprecated and will be removed in a future version.
Use
component_received_events_total instead.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the event originates.
file
optional
The file from which the event originates.
host
required
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the event originates.
peer_path
optional
The pathname from which the event originates.
pid
required
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the event originates.
uri
optional
The sanitized URI from which the event originates.
events_out_total
counterThe total number of events emitted by this component.
This metric is deprecated and will be removed in a future version.
Use
component_sent_events_total instead.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
required
The hostname of the system Vector is running on.
pid
required
The process ID of the Vector instance.
processed_bytes_total
counterThe number of bytes processed by the component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the bytes originate.
file
optional
The file from which the bytes originate.
host
required
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the bytes originate.
peer_path
optional
The pathname from which the bytes originate.
pid
required
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the bytes originate.
uri
optional
The sanitized URI from which the bytes originate.
processed_events_total
counterThe total number of events processed by this component.
This metric is deprecated in place of using
component_received_events_total and
component_sent_events_total metrics.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
required
The hostname of the system Vector is running on.
pid
required
The process ID of the Vector instance.
processing_errors_total
counterThe total number of processing errors encountered by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
error_type
required
The type of the error
host
required
The hostname of the system Vector is running on.
pid
required
The process ID of the Vector instance.
utilization
gaugeA ratio from 0 to 1 of the load on a component. A value of 0 would indicate a completely idle component that is simply waiting for input. A value of 1 would indicate a that is never idle. This value is updated every 5 seconds.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
required
The hostname of the system Vector is running on.
pid
required
The process ID of the Vector instance.
Examples
Default
Given this event...{
"log": {
"message": "\t{\n\t \"messageType\": \"DATA_MESSAGE\",\n\t \"owner\": \"111111111111\",\n\t \"logGroup\": \"test\",\n\t \"logStream\": \"test\",\n\t \"subscriptionFilters\": [\n\t\t\"Destination\"\n\t ],\n\t \"logEvents\": [\n\t\t{\n\t\t \"id\": \"35683658089614582423604394983260738922885519999578275840\",\n\t\t \"timestamp\": 1600110569039,\n\t\t \"message\": \"{\"bytes\":26780,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"157.130.216.193\",\"method\":\"PUT\",\"protocol\":\"HTTP/1.0\",\"referer\":\"https://www.principalcross-platform.io/markets/ubiquitous\",\"request\":\"/expedite/convergence\",\"source_type\":\"stdin\",\"status\":301,\"user-identifier\":\"-\"}\"\n\t\t},\n\t\t{\n\t\t \"id\": \"35683658089659183914001456229543810359430816722590236673\",\n\t\t \"timestamp\": 1600110569041,\n\t\t \"message\": \"{\"bytes\":17707,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"109.81.244.252\",\"method\":\"GET\",\"protocol\":\"HTTP/2.0\",\"referer\":\"http://www.investormission-critical.io/24/7/vortals\",\"request\":\"/scale/functionalities/optimize\",\"source_type\":\"stdin\",\"status\":502,\"user-identifier\":\"feeney1708\"}\"\n\t\t}\n\t ]\n\t}"
}
}[transforms.my_transform_id]
type = "aws_cloudwatch_logs_subscription_parser"
inputs = [ "my-source-or-transform-id" ]
field = "message"
---
transforms:
my_transform_id:
type: aws_cloudwatch_logs_subscription_parser
inputs:
- my-source-or-transform-id
field: message
{
"transforms": {
"my_transform_id": {
"type": "aws_cloudwatch_logs_subscription_parser",
"inputs": [
"my-source-or-transform-id"
],
"field": "message"
}
}
}{
"id": "35683658089614582423604394983260738922885519999578275840",
"log_group": "test",
"log_stream": "test",
"message": "{\"bytes\":26780,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"157.130.216.193\",\"method\":\"PUT\",\"protocol\":\"HTTP/1.0\",\"referer\":\"https://www.principalcross-latform.io/markets/ubiquitous\",\"request\":\"/expedite/convergence\",\"source_type\":\"stdin\",\"status\":301,\"user-identifier\":\"-\"}",
"owner": "111111111111",
"subscription_filters": [
"Destination"
],
"timestamp": "2020-09-14T19:09:29.039Z"
}How it works
Structured Log Events
Note that the events themselves are not parsed. If they are structured data, you will typically want to pass them through a parsing transform.