forked from airbnb/streamalert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudwatch.json
147 lines (147 loc) · 3.51 KB
/
cloudwatch.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
{
"cloudwatch:cloudtrail": {
"schema": {
"additionalEventData": {},
"apiVersion": "string",
"awsRegion": "string",
"errorCode": "string",
"errorMessage": "string",
"eventID": "string",
"eventName": "string",
"eventSource": "string",
"eventTime": "string",
"eventType": "string",
"eventVersion": "string",
"managementEvent": "boolean",
"readOnly": "boolean",
"recipientAccountId": "string",
"requestID": "string",
"requestParameters": {},
"resources": [],
"responseElements": {},
"serviceEventDetails": {},
"sharedEventID": "string",
"sourceIPAddress": "string",
"userAgent": "string",
"userIdentity": {},
"vpcEndpointId": "string"
},
"parser": "json",
"configuration": {
"embedded_json": true,
"envelope_keys": {
"logGroup": "string",
"logStream": "string",
"messageType": "string",
"owner": "string",
"subscriptionFilters": []
},
"json_path": "logEvents[*].message",
"optional_top_level_keys": [
"additionalEventData",
"apiVersion",
"errorCode",
"errorMessage",
"managementEvent",
"readOnly",
"resources",
"serviceEventDetails",
"sharedEventID",
"vpcEndpointId"
]
}
},
"cloudwatch:control_message": {
"schema": {
"id": "string",
"message": "string",
"timestamp": "integer"
},
"parser": "json",
"configuration": {
"envelope_keys": {
"logGroup": "string",
"logStream": "string",
"messageType": "string",
"owner": "string",
"subscriptionFilters": []
},
"log_patterns": {
"streamalert:envelope_keys": {
"messageType": [
"CONTROL_MESSAGE"
]
}
},
"json_path": "logEvents[*]"
}
},
"cloudwatch:events": {
"schema": {
"account": "string",
"detail": {},
"detail-type": "string",
"id": "string",
"region": "string",
"resources": [],
"source": "string",
"time": "string",
"version": "string"
},
"parser": "json"
},
"cloudwatch:flow_logs": {
"schema": {
"account": "string",
"action": "string",
"bytes": "string",
"destination": "string",
"destport": "string",
"eni": "string",
"flowlogstatus": "string",
"packets": "string",
"protocol": "string",
"source": "string",
"srcport": "string",
"version": "integer",
"windowend": "integer",
"windowstart": "integer"
},
"parser": "json",
"configuration": {
"envelope_keys": {
"logGroup": "string",
"logStream": "string",
"owner": "integer"
},
"json_path": "logEvents[*].extractedFields"
}
},
"cloudwatch:rds_aurora": {
"schema": {
"timestamp": "integer",
"serverhost": "string",
"username": "string",
"host": "string",
"connectionid": "integer",
"queryid": "integer",
"operation": "string",
"database": "string",
"object": "string",
"retcode": "integer"
},
"parser": "csv",
"configuration": {
"envelope_keys": {
"logGroup": "string",
"logStream": "string",
"messageType": "string",
"owner": "string",
"subscriptionFilters": []
},
"json_path": "logEvents[*].message",
"escapechar": "\\",
"quotechar": "'"
}
}
}