Merge pull request #219 from SumoLogic/hsharma-awso-v2.11

Apps update in awso v2.11
SumoLogic · Dec 10, 2024 · 536adf7 · 536adf7
2 parents 413f731 + 652c10c
commit 536adf7
Show file tree

Hide file tree

Showing 7 changed files with 3,190 additions and 212 deletions.
diff --git a/aws-observability/apps/alb/alb_app.template.yaml b/aws-observability/apps/alb/alb_app.template.yaml
@@ -384,6 +384,27 @@ Resources:
       SumoAccessKey: !Ref Section1cSumoAccessKey
       SumoDeployment: !Ref Section1aSumoDeployment
 
+  AlbCloudTrailLogsFieldExtractionRule:
+    Type: Custom::SumoLogicFieldExtractionRule
+    Condition: create_fer
+    Properties:
+      ServiceToken: !Ref Section6aParentStackLambdaARN
+      RemoveOnDeleteStack: false
+      FieldExtractionRuleName: "AwsObservabilityALBCloudTrailLogsFER"
+      FieldExtractionRuleScope: "account=* eventSource eventName \"elasticloadbalancing.amazonaws.com\" \"2015-12-01\""
+      FieldExtractionRuleParseExpression: '| json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop 
+                                            | "" as namespace
+                                            | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" 
+                                            | parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, loadbalancer, f1 nodrop
+                                            | if(loadbalancertype matches "network", "aws/nlb", if(balancertype matches "net", "aws/nlb", namespace)) as namespace
+                                            | if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace
+                                            | where namespace="aws/applicationelb" or isEmpty(namespace)
+                                            | toLowerCase(loadbalancer) as loadbalancer  
+                                            | fields region, namespace, loadbalancer, accountid'
+      FieldExtractionRuleParseEnabled: true
+      SumoAccessID: !Ref Section1bSumoAccessID
+      SumoAccessKey: !Ref Section1cSumoAccessKey
+      SumoDeployment: !Ref Section1aSumoDeployment
 Outputs:
   ExistingMetricSourceName:
     Description: "Existing CloudWatch Metrics Source Name"

diff --git a/aws-observability/apps/elb/elb_app.template.yaml b/aws-observability/apps/elb/elb_app.template.yaml
@@ -381,6 +381,23 @@ Resources:
       SumoAccessKey: !Ref Section1cSumoAccessKey
       SumoDeployment: !Ref Section1aSumoDeployment
 
+  ClbCloudTrailLogsFieldExtractionRule:
+    Type: Custom::SumoLogicFieldExtractionRule
+    Condition: create_fer
+    Properties:
+      ServiceToken: !Ref Section6aParentStackLambdaARN
+      RemoveOnDeleteStack: false
+      FieldExtractionRuleName: "AwsObservabilityCLBCloudTrailLogsFER"
+      FieldExtractionRuleScope: "account=* eventSource eventName \"elasticloadbalancing.amazonaws.com\" \"2012-06-01\""
+      FieldExtractionRuleParseExpression: '| json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.loadBalancerName" as event_source, region, accountid, loadbalancername nodrop  
+                                            | where event_source = "elasticloadbalancing.amazonaws.com"
+                                            | toLowerCase(loadbalancername) as loadbalancername 
+                                            | "aws/elb" as namespace 
+                                            | fields region, namespace, loadbalancername, accountid'
+      FieldExtractionRuleParseEnabled: true
+      SumoAccessID: !Ref Section1bSumoAccessID
+      SumoAccessKey: !Ref Section1cSumoAccessKey
+      SumoDeployment: !Ref Section1aSumoDeployment
 
 Outputs:
   ExistingLogSourceName:

diff --git a/aws-observability/apps/nlb/nlb_app.template.yaml b/aws-observability/apps/nlb/nlb_app.template.yaml
@@ -211,3 +211,25 @@ Resources:
       SumoAccessID: !Ref Section1bSumoAccessID
       SumoAccessKey: !Ref Section1cSumoAccessKey
       SumoDeployment: !Ref Section1aSumoDeployment
+
+  NlbCloudTrailLogsFieldExtractionRule:
+    Type: Custom::SumoLogicFieldExtractionRule
+    Condition: install_app
+    Properties:
+      ServiceToken: !Ref Section4aParentStackLambdaARN
+      RemoveOnDeleteStack: false
+      FieldExtractionRuleName: "AwsObservabilityNLBCloudTrailLogsFER"
+      FieldExtractionRuleScope: "account=* eventSource eventName \"elasticloadbalancing.amazonaws.com\" \"2015-12-01\""
+      FieldExtractionRuleParseExpression: '| json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop 
+                                            | "" as namespace
+                                            | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" 
+                                            | parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, loadbalancer, f1 nodrop
+                                            | if(loadbalancertype matches "network", "aws/nlb", if(balancertype matches "net", "aws/nlb", namespace)) as namespace
+                                            | if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace
+                                            | where namespace="aws/applicationelb" or isEmpty(namespace)
+                                            | toLowerCase(loadbalancer) as loadbalancer  
+                                            | fields region, namespace, loadbalancer, accountid'
+      FieldExtractionRuleParseEnabled: true
+      SumoAccessID: !Ref Section1bSumoAccessID
+      SumoAccessKey: !Ref Section1cSumoAccessKey
+      SumoDeployment: !Ref Section1aSumoDeployment