AWS Lambda functions for shipping various AWS logs to an Elastic Stack
Building requires the dep dependency manager
for Go. You can install it via go get:
go get -u github.com/golang/dep/cmd/dep
Default make target will download dependencies, run unit tests, and compile.
-
make buildInstall dependencies and compile.
-
make testInstall dependencies and run tests.
-
make cleanClean up artifacts.
-
make depsInstall dependencies.
The binary artifacts are designed for use in AWS Lambda.
Set Cloudwatch log groups as a trigger for a Lambda function with the
artifact cloudwatch.zip. Every time the function triggers, the logs will
be split into keys, JSON encoded, and POSTed to the configured endpoint.
Set ELBs to ship access logs to S3. Then set the S3 bucket PUT as a trigger
for the Lambda function with a artifact elb.zip. The logs will be downloaded
from S3, split into keys, JSON encoded, and POSTed to the configured endpoint.
Note that encoding and transmission will occur in an indeterminate order and with unlimited concurrency.
-
CHUNK_SIZENumber of logs to transmit in a single request.
-
INDEXNAMEThis will be passed as a json parameter
indexname, to be used by the Logstash listener. -
LOGSTASHHTTP endpoint to send logs to.
-
LOG_LEVELMinimum log level for this function's logging.
-
DELIMITERDelimiter character to use between records when encoding.
Deploy the Lambda functions using Cloudformation and AWS CLI.
Cloudwatch:
# Deploy the Lambda package to S3 and transform template
aws cloudformation package \
--template resources/cloudformation/cloudwatch.yml \
--s3-bucket <S3 Bucket> \
--s3-prefix logs-to-elastic \
--output-template-file /tmp/cloudwatch.yml
# Deploy the template
aws cloudformation deploy \
--template-file /tmp/cloudwatch.yml \
--stack-name CloudwatchLogsToElastic \
--capabilities CAPABILITY_IAM \
--s3-bucket <S3 Bucket> \
--s3-prefix logs-to-elastic \
--parameter-overrides \
'LambdaSecurityGroups=sg-123456' \
'LambdaSubnets=subnet-12345,subnet-6789' \
'IndexName=cloudwatch' \
'Logstash=http://logstash.endpoint'
ELB:
# Deploy the Lambda package to S3 and transform template
aws cloudformation package \
--template resources/cloudformation/elb.yml \
--s3-bucket <S3 Bucket> \
--s3-prefix logs-to-elastic \
--output-template-file /tmp/elb.yml
# Deploy the template
aws cloudformation deploy \
--template-file /tmp/elb.yml \
--stack-name ElbLogsToElastic \
--capabilities CAPABILITY_IAM \
--s3-bucket <S3 Bucket> \
--s3-prefix logs-to-elastic \
--parameter-overrides \
'LambdaSecurityGroups=sg-123456' \
'LambdaSubnets=subnet-12345,subnet-6789' \
'IndexName=elb' \
'Logstash=http://logstash.endpoint' \
'LogS3Bucket=<s3-bucket-name>'