CloudWatch Contributor Insights 规则示例 - Amazon CloudWatch

CloudWatch Contributor Insights 规则示例

此部分包含的示例说明了 Contributor Insights 规则的使用案例。

VPC 流日志:按源和目标 IP 地址进行的字节传输

{ "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "LogGroupNames": [ "/aws/containerinsights/sample-cluster-name/flowlogs" ], "LogFormat": "CLF", "Fields": { "4": "srcaddr", "5": "dstaddr", "10": "bytes" }, "Contribution": { "Keys": [ "srcaddr", "dstaddr" ], "ValueOf": "bytes", "Filters": [] }, "AggregateOn": "Sum" }

VPC 流日志:最大 HTTPS 请求数

{ "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "LogGroupNames": [ "/aws/containerinsights/sample-cluster-name/flowlogs" ], "LogFormat": "CLF", "Fields": { "5": "destination address", "7": "destination port", "9": "packet count" }, "Contribution": { "Keys": [ "destination address" ], "ValueOf": "packet count", "Filters": [ { "Match": "destination port", "EqualTo": 443 } ] }, "AggregateOn": "Sum" }

VPC 流日志:被拒绝的 TCP 连接数

{ "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "LogGroupNames": [ "/aws/containerinsights/sample-cluster-name/flowlogs" ], "LogFormat": "CLF", "Fields": { "3": "interfaceID", "4": "sourceAddress", "8": "protocol", "13": "action" }, "Contribution": { "Keys": [ "interfaceID", "sourceAddress" ], "Filters": [ { "Match": "protocol", "EqualTo": 6 }, { "Match": "action", "In": [ "REJECT" ] } ] }, "AggregateOn": "Sum" }

Route 53 NXDomain 按源地址响应

{ "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "Match": "$.rcode", "StartsWith": [ "NXDOMAIN" ] } ], "Keys": [ "$.srcaddr" ] }, "LogFormat": "JSON", "LogGroupNames": [ "<loggroupname>" ] }

Route 53 Resolver 按域名查询

{ "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [], "Keys": [ "$.query_name" ] }, "LogFormat": "JSON", "LogGroupNames": [ "<loggroupname>" ] }

Route 53 Resolver 按查询类型和源地址查询

{ "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [], "Keys": [ "$.query_type", "$.srcaddr" ] }, "LogFormat": "JSON", "LogGroupNames": [ "<loggroupname>" ] }