nagmesh
commented
1 week ago Hello,
Thank you for your interest in LZA.
Firehose by default puts object with in s3 with Content-Type application/octet-stream.
Currently within s3 destination settings we have to leave it as uncompressed as CloudWatch sends the files with gzip level8 compression.
Firehose service released a new feature to add file extension where we can try and add .gz extension. However, we will need to run a full test to see the behavior is same on all regions and partitions before it can be released.
I'll leave this ticket to track the firehose file extension ask. The other alterantives are to
- Have firehose write to opensearch which is being tracked here
- use the log s3 prefix as input to data lake that runs jobs which will pre-process and stage it in the right format for the siem tool
Describe the bug
Cloudwatch logs are being compressed and consolidated within the
aws-accelerator-central-logs-<account>-<region>/CloudWatchLogsS3 bucket/path in the LogArchive account via the Landing Zone Accelerator. However, these logs are not being assigned a metadata/mimetype ofgzipwhen stored. Other logs in the same bucket (such as CloudTrail logs, load balancer logs) are correctly being assigned this metadata.The impact of this bug is that when attempting to ingest these logs (e.g. https://github.com/aws-samples/siem-on-amazon-opensearch-service) Cloudwatch logs cannot correctly be ingested as there no metadata or file extension to indicate that they should first be decompressed.
To Reproduce
aws-accelerator-central-logs-<acount>-<region>/CloudWatchLogs/Expected behavior Compressed Cloudwatch logs which are consolidated from Organization accounts should be stored with the correct metadata/mimetype. This should include a
Content-EncodingofgzipandContent-Typeofapplication/json.Please complete the following information about the solution: