circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Explore and Analyze AWS CloudWatch Events

After Logpoint ingests AWS CloudWatch logs:

  • Use Search to access and examine events.

  • Configure Alerts to get notified of critical or suspicious activity.

  • Create custom Dashboards for visualization.

hashtag
Search

Use the following queries to explore common AWS CloudWatch events:

Scenario
Search Query

All CloudWatch logs

norm_id = "cloudwatch"

EC2 instance events

norm_id = "cloudwatch" source = "*ec2*"

RDS database logs

norm_id = "cloudwatch" source = "*rds*"

Lambda function logs

norm_id = "cloudwatch" source = "*lambda*"

ELB access logs

norm_id = "cloudwatch" source = "*elb*"

VPC Flow Logs

norm_id = "cloudwatch" source = "*vpc*"

CloudTrail API events

norm_id = "cloudwatch" eventSource = "*amazonaws.com"

Error events

norm_id = "cloudwatch" (message = "*error*" OR message = "*fail*")

Authentication events

norm_id = "cloudwatch" eventName = "*Login*" OR eventName = "*Auth*"

Resource creation

norm_id = "cloudwatch" eventName = "Create*" OR eventName = "Run*"

Resource deletion

norm_id = "cloudwatch" eventName = "Delete*" OR eventName = "Terminate*"

IAM user activities

norm_id = "cloudwatch" userIdentity.type = "IAMUser"

Root account usage

norm_id = "cloudwatch" userIdentity.type = "Root"

S3 bucket access

norm_id = "cloudwatch" eventSource = "s3.amazonaws.com"

Security group changes

norm_id = "cloudwatch" eventName = "*SecurityGroup*"

hashtag
Common CloudWatch Event Analysis

CloudTrail API Call Analysis:

User Activity Analysis:

Geographic Source Analysis:

AWS Service Usage:

Failed Operations:

Last updated

Was this helpful?