AWS Cloudwatch
PacketAI's CloudWatch collector (lambda function for AWS) sends logs to PacketAI for automated anomaly detection. Here is the code for the lambda function:
const AWS = require('aws-sdk');
const http = require('http');
const zlib = require('zlib');
const PacketAIConfiguration = {
hostName: "ingest.packetai.co",
infrastructure: "API_KEY", // to be changed to the client's API key
tags: "aws"
};
// entry point
exports.handler = (event, context, callback) => {
const payload = Buffer.from(event.awslogs.data, 'base64');
function parseEvent(logEvent, logGroupName, logStreamName) {
return {
// remove '\\n' character at the end of the event
message: logEvent.message.trim(),
logGroupName,
logStreamName,
timestamp: new Date(logEvent.timestamp).toISOString()
};
}
function postEventsToPacketAI(parsedEvents) {
let eventList = [];
parsedEvents.map((events) => {
return eventList.push(events);
});
eventList = JSON.stringify(eventList, null, 0)
try {
const options = {
hostname: PacketAIConfiguration.hostName,
path: `/${PacketAIConfiguration.infrastructure}/aws/events/logs`,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': eventList.length
}
};
const req = http.request(options, (res) => {
res.on('data', (data) => {
const result = JSON.parse(data.toString());
if(result != null) {
if (result.response === 'ok') {
callback(null, 'all events are sent to PacketAI');
} else {
console.log(result.response);
}
} else {
console.log(data);
}
});
res.on('end', () => {
console.log('No more data in response.');
callback();
});
});
req.on('error', (err) => {
console.log('problem with request:', err.toString());
callback(err);
});
req.write(eventList);
req.end();
} catch (ex) {
console.log(ex.message);
callback(ex.message);
}
}
zlib.gunzip(payload, (error, result) => {
if (error) {
callback(error);
} else {
const resultParsed = JSON.parse(result.toString('ascii'));
const parsedEvents = resultParsed.logEvents.map((logEvent) => {
const event = parseEvent(logEvent, resultParsed.logGroup, resultParsed.logStream)
return event;
});
postEventsToPacketAI(parsedEvents);
}
});
};
Preparation
  1. 1.
    If you have an existing Lambda function associated with the log group to be set up, you must go to AWS CloudWatch page and delete the existing subscription filter, otherwise you will get this error message: “An error occurred when creating the trigger: The log group host-log already has an enabled subscription filter associated with it.”
  2. 2.
    If you do not have an existing role with Lambda execution permission, you should got to AWS IAM service to create a role for running Lambda functions.
Installation
  1. 1.
    Create a new lambda function with the code above
    To create a new Lambda function
    1. 1.
    2. 2.
      Select “Author from scratch”
    3. 3.
      Provide the following base information:
      • Function Name: packetai-cloudwatch
      • Runtime: Node.js.12.x
    4. 4.
      Click on “Create function”
  2. 2.
    Click on Designer and click on “Add a trigger”. Type “CloudWatch Logs” and choose your log group.
Configuration
No additional configuration is required
Copy link