amazon-web-services - 使用 cloudformation 模板将日志流式传输到弹性

Question

Cloudtrail 默认日志可以流式传输到 elasticsearch 域，如此图所示。如何使用 cloudformation 模板实现此目的？

Answer 1

更新:

如果您使用的是 aws-cli，请查看我的回答 here 。

---

好吧，经过几个小时的探索和阅读大量文档，我终于成功创建了这个模板。

设计器概述:

为了启用 Elasticsearch 的流日志，我们需要创建以下资源:

1. lambda 函数会将日志从 cloudwatch 日志组转发到 Elasticsearch。
2. 相关 IAM 角色，用于从 cloudwatch 获取日志并将其插入 Elasticsearch。
3. Lambda permission - AWS::Lambda::Permission 资源向 AWS 服务或其他账户授予使用函数的权限，以允许 cloudwatch 日志组触发 lambda。
4. Subscription Filter - AWS::Logs::SubscriptionFilter 资源指定订阅筛选器并将其与指定的日志组关联。订阅过滤器允许您订阅实时日志事件流并将它们传送到特定目的地。

模板用法:

1. 从我的 Github page 下载 LogsToElasticsearch.zip。
2. 使用您的 Elasticseatch 网址更新 index.js 中的 var endpoint = '${Elasticsearch_Endpoint}';，例如 - 'search-xxx-yyyy.eu-west-1.es.amazonaws .com'；。
3. 将 zip 文件复制到将在模板 (LambdaArtifactBucketName) 中使用的 s3 存储桶。
4. 填写相关参数 - 您可以找到每个资源的说明。

模板 YAML:

AWSTemplateFormatVersion: 2010-09-09
Description: Enable logs to elasticsearch
Parameters:
  ElasticsearchDomainName:
    Description: Name of the Elasticsearch domain that you want to insert logs to
    Type: String
    Default: amitb-elastic-domain
  CloudwatchLogGroup:
    Description: Name of the log group you want to subscribe
    Type: String
    Default: /aws/eks/amitb-project/cluster
  LambdaName:
    Description: Name of the lambda function
    Type: String
    Default: amitb-cloudwatch-logs
  LambdaRole:
    Description: Name of the role used by the lambda function
    Type: String
    Default: amit-cloudwatch-logs-role
  LambdaArtifactBucketName:
    Description: The bucket where the lambda function located
    Type: String
    Default: amit-bucket
  LambdaArtifactName:
    Description: The name of the lambda zipped file
    Type: String
    Default: LogsToElasticsearch.zip
  VPC:
    Description: Choose which VPC the Lambda-functions should be deployed to
    Type: 'AWS::EC2::VPC::Id'
    Default: vpc-1111111
  Subnets:
    Description: Choose which subnets the Lambda-functions should be deployed to
    Type: 'List<AWS::EC2::Subnet::Id>'
    Default: 'subnet-123456789,subnet-123456456,subnet-123456741'
  SecurityGroup:
    Description: Select the Security Group to use for the Lambda-functions
    Type: 'List<AWS::EC2::SecurityGroup::Id>'
    Default: 'sg-2222222,sg-12345678'
Resources:
  ExampleInvokePermission:
    Type: 'AWS::Lambda::Permission'
    DependsOn: ExampleLambdaFunction
    Properties:
      FunctionName:
        'Fn::GetAtt':
          - ExampleLambdaFunction
          - Arn
      Action: 'lambda:InvokeFunction'
      Principal: !Sub 'logs.${AWS::Region}.amazonaws.com'
      SourceArn: !Sub >-
        arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudwatchLogGroup}:*
      SourceAccount: !Ref 'AWS::AccountId'
  LambdaExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Ref LambdaRole
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: lambda-to-es-via-vpc-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'es:*'
                Resource:
                  - !Sub >-
                    arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ElasticsearchDomainName}
        - PolicyName: logs-and-ec2-permissions
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'ec2:DeleteNetworkInterface'
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
  ExampleLambdaFunction:
    Type: 'AWS::Lambda::Function'
    DependsOn: LambdaExecutionRole
    Properties:
      Code:
        S3Bucket: !Ref LambdaArtifactBucketName
        S3Key: !Ref LambdaArtifactName
      FunctionName: !Ref LambdaName
      Handler: !Sub '${LambdaName}.handler'
      Role:
        'Fn::GetAtt':
          - LambdaExecutionRole
          - Arn
      Runtime: nodejs8.10
      Timeout: '300'
      VpcConfig:
        SecurityGroupIds: !Ref SecurityGroup
        SubnetIds: !Ref Subnets
      MemorySize: 512
  SubscriptionFilter:
    Type: 'AWS::Logs::SubscriptionFilter'
    DependsOn: ExampleInvokePermission
    Properties:
      LogGroupName: !Ref CloudwatchLogGroup
      FilterPattern: '[host, ident, authuser, date, request, status, bytes]'
      DestinationArn:
        'Fn::GetAtt':
          - ExampleLambdaFunction
          - Arn

结果:

Cloudwatch日志:

希望您觉得它有帮助。

更新 02/09/2020:

node.js 8.10 现已弃用，您应该使用 node.js 10 或 12。

https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html