The responseElements field in the AWS config only parses select elements, limiting the data available within the logs in SOF-ELK.
This field is important as it shows key information related to actions that occur in AWS. For example, if a new Security Group is created, this is parsed by SOF-ELK, however, the name of the Security Group is within the responseElements field which isn't fully parsed.
The responseElements field is an undefined JSON array so it may not be possible to pass individual fields, however, parsing all the data into a single field that is unindexed will help add context to the events in the AWS logs.
philhagen
commented
2 years ago
The
responseElementsfield in the AWS config only parses select elements, limiting the data available within the logs in SOF-ELK.This field is important as it shows key information related to actions that occur in AWS. For example, if a new Security Group is created, this is parsed by SOF-ELK, however, the name of the Security Group is within the
responseElementsfield which isn't fully parsed.The
responseElementsfield is an undefined JSON array so it may not be possible to pass individual fields, however, parsing all the data into a single field that is unindexed will help add context to the events in the AWS logs.https://github.com/philhagen/sof-elk/blob/c9a3447db52bd9632973a951acee010872dc917f/configfiles/6901-aws.conf#L27