Publishing AwsLlambda Logs Into SplunkCloud
0 likes315 views
This document outlines steps to configure a Lambda function to send logs and events to Splunk Cloud in real-time. It involves setting up a Splunk index and HTTP Event Collector (HEC), creating an HEC token, and modifying the source type. A standalone Splunk Lambda function is created that can be invoked by other application Lambda functions to log events to Splunk Cloud. The application Lambda is modified to invoke the Splunk Lambda after starting EC2 instances to log instance details.
Publishing AwsLlambda Logs Into SplunkCloud
- 1. Page 1 of 12 Push Lambda Logs/Events Into Splunk Cloud Revision Number Date Author Comments 1 7/13/2018 First Draft By Varun Kumar Document Purpose: - Capture all the steps needed to ingest log from Lambda function into SplunkCloud in real time. Standardise the apprach to capture the logs across lambda functions. Usecase :- A lambda function will be created that will be used to start/stop ecs instances. Everytime the lambda is invoke the logs will be routed to SplunkCloud using SplunkHEC(http event collector) The architecture followed is
- 2. Page 2 of 12 Table of Content 1 Splunk Setup............................................................................................................. 3 Splunk Index...................................................................................................................... 3 Enable HEC........................................................................................................................ 3 HEC Token Creation ......................................................................................................... 4 Modify SourceType ........................................................................................................... 5 2 Testing From StandAlone Client............................................................................. 6 3 Creating Lambda Function ...................................................................................... 7 Creating Sandalone Splunk Lambda Function .............................................................. 7 Application Lambda Function........................................................................................ 10 Invoking Splunk Lambda Function From Application Lambda.................................. 11 Trigger Splunk Lambda From App Lambda ................................................................. 12
- 3. Page 3 of 12 1 Splunk Setup Splunk Index Create a new index Enable HEC Setup the HEC collector
- 4. Page 4 of 12 HEC Token Creation IndexerAcknowledgement will be needed only in case of critical messages that should not be missed at any cost.
- 5. Page 5 of 12 Modify SourceType Modiy the source type and add it to the HEC token
- 6. Page 6 of 12 2 Testing From StandAlone Client Checking for logs in spunk
- 7. Page 7 of 12 3 Creating Lambda Function Creating Sandalone Splunk Lambda Function We will now create a lambda function that will act as a standalone splunk logging lambda function and will be anonymous of the application code. This lambda can be called from all other application lambda functions and the events wll be populated to SplunkCloud. Enter the token and URL
- 8. Page 8 of 12 Modify the Splunk blueprint code with the code given below. Modified.
- 9. Page 9 of 12 /** * Splunk logging for AWS Lambda * * This function logs to a Splunk host using Splunk's HTTP event collector API. * * Define the following Environment Variables in the console below to configure * this function to log to your Splunk host: * * 1. SPLUNK_HEC_URL: URL address for your Splunk HTTP event collector endpoint. * Default port for event collector is 8088. Example: https://host.com:8088/services/collector * * 2. SPLUNK_HEC_TOKEN: Token for your Splunk HTTP event collector. * To create a new token for this Lambda function, refer to Splunk Docs: * http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Create_an_Event_Collector_token */ 'use strict'; const loggerConfig = { url: process.env.SPLUNK_HEC_URL, token: process.env.SPLUNK_HEC_TOKEN, }; const SplunkLogger = require('./lib/mysplunklogger'); const logger = new SplunkLogger(loggerConfig); exports.handler = (event, context, callback) => { console.log('Received event:', JSON.stringify(event, null, 2)); // Log JSON objects to Splunk logger.log(event); // Log JSON objects with optional 'context' argument (recommended) // This adds valuable Lambda metadata including functionName as source, awsRequestId as field
- 10. Page 10 of 12 logger.log(event, context); // Log strings logger.log(`value1 = ${event}`, context); //logger.log(`value1 = ${event.key1}`, context); // Log with user-specified timestamp - useful for forwarding events with embedded // timestamps, such as from AWS IoT, AWS Kinesis, AWS CloudWatch Logs // Change "Date.now()" below to event timestamp if specified in event payload logger.logWithTime(Date.now(), event, context); // Advanced: // Log event with user-specified request parameters - useful to set input settings per event vs token-level // Full list of request parameters available here: // http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector logger.logEvent({ time: Date.now(), host: 'serverless', source: `lambda:${context.functionName}`, sourcetype: 'httpevent', event: event, }); // Send all the events in a single batch to Splunk logger.flushAsync((error, response) => { if (error) { callback(error); } else { console.log(`Response from Splunk:n${response}`); //callback(null, event.key1); // Echo back the first key value callback(null, event); // Echo back the first key value } }); }; Application Lambda Function The application lambda function willstart ec2 instances based on the parameters passed to the lambda. Test the lambda and ensure the working standalone.
- 11. Page 11 of 12 Invoking Splunk Lambda Function From Application Lambda modify the application Lambda function to be able to invoke the Splunk Lambda function. modify the roles assigned to the App Lambda as shown in the screenshot below.
- 12. Page 12 of 12 Trigger Splunk Lambda From App Lambda Checking the cloud watch logs for Application Lambda and you will see it has invoked the Splunk Lambda. check for logs in splunk with the instance id in the event.