Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proper way to support non VPC and cloudtrail sourcetypes #1

Open
rh46 opened this issue Mar 10, 2019 · 1 comment
Open

Proper way to support non VPC and cloudtrail sourcetypes #1

rh46 opened this issue Mar 10, 2019 · 1 comment

Comments

@rh46
Copy link

rh46 commented Mar 10, 2019

RE: How to Ingest Any Log from AWS Cloudwatch Logs via Firehose

I was wondering how to best use CloudwatchFH2HEC.py to ship other log sourcestypes besides VPC and cloudtrail logs (the only two sourcestypes defined in the example script). Which of the approaches below would do you recommend if any? Ideally I could use the same transform function for all Firehose to HEC log shipping.

  1. Add a case statement to match additional cloudwatch log group names to their destination sourcetypes
  2. don't set the sourcetypes at all and let Splunk handle it somehow
  3. set SPLUNK_SOURCETYPE=aws:firehose:json

Alternatively I could create separate lambda functions for each sourcetype and pass different values for SPLUNK_SOURCETYPE in the environment variable configuration... but that feels like an anti-pattern.

List of example sourcetypes/use-cases from cloudwatch logs
@gliptak
Copy link

gliptak commented Jul 21, 2020

From above list, I submitted #3 for lambda support

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gliptak @rh46