l0 admin logs was originally designed with the idea that CloudTrail events (generated from the l0 api to AWS) should be captured. Currently, we use a specific filter pattern when searching the CloudWatch log streams that come from CloudTrail, filterPattern := fmt.Sprintf("{ $.userIdentity.sessionContext.sessionIssuer.userName = \"l0-%s-ecs-role\" }", a.Config.Instance()).
The problem
The current issue is that this filter pattern actually leaves out certain types of events that don't follow the pattern. Take for instance a DeleteCluster event. The CloudTrail log for an event like this looks like this:
$.userIdentity.sessionContext.sessionIssuer.userName = \"l0-jlpalbtest-ecs-role\" in this context isn't does not capture this event, but it should capture it. It really should filter instead on $.userIdentity.userName = \"l0-jlpalbtest-user\".
Solution
The filter pattern should be modified to look for event matching either pattern: filterPattern := fmt.Sprintf("{ $.userIdentity.sessionContext.sessionIssuer.userName = \"l0-%s-ecs-role\" || $.userIdentity.userName = \"l0-%s-user\" }", a.Config.Instance(), a.Config.Instance())
Context
l0 admin logs
was originally designed with the idea that CloudTrail events (generated from the l0 api to AWS) should be captured. Currently, we use a specific filter pattern when searching the CloudWatch log streams that come from CloudTrail,filterPattern := fmt.Sprintf("{ $.userIdentity.sessionContext.sessionIssuer.userName = \"l0-%s-ecs-role\" }", a.Config.Instance())
.The problem
The current issue is that this filter pattern actually leaves out certain types of events that don't follow the pattern. Take for instance a DeleteCluster event. The CloudTrail log for an event like this looks like this:
$.userIdentity.sessionContext.sessionIssuer.userName = \"l0-jlpalbtest-ecs-role\"
in this context isn't does not capture this event, but it should capture it. It really should filter instead on$.userIdentity.userName = \"l0-jlpalbtest-user\"
.Solution
The filter pattern should be modified to look for event matching either pattern:
filterPattern := fmt.Sprintf("{ $.userIdentity.sessionContext.sessionIssuer.userName = \"l0-%s-ecs-role\" || $.userIdentity.userName = \"l0-%s-user\" }", a.Config.Instance(), a.Config.Instance())