1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
{
"$schema": "https://lnav.org/schemas/format-v1.schema.json",
"s3_log": {
"title": "S3 Access Log",
"description": "S3 server access log format",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html",
"multiline": false,
"regex": {
"std": {
"pattern": "^(?<owner>\\S+)\\s+(?<bucket>\\S+)\\s+\\[(?<timestamp>[^\\]]+)\\]\\s+(?<c_ip>[\\w*.:-]+)\\s+(?<cs_userid>\\S+)\\s+(?<req_id>\\S+)\\s+(?<op>\\S+)\\s+(?<cs_key>\\S+)\\s+\"(?<cs_method>\\S+)\\s+(?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))?\\s+(?<cs_version>\\S+)\"\\s+(?<sc_status>\\d+|-)\\s+(?<sc_error_code>\\S+)\\s+(?<sc_bytes>\\d+|-)\\s+(?<obj_size>\\d+|-)\\s+(?<total_time>\\d+|-)\\s+(?<turn_around_time>\\d+|-)\\s+\"(?<cs_referer>.*?)\"\\s+\"(?<cs_user_agent>.*?)\"$"
},
"std-v2": {
"pattern": "^(?<owner>\\S+)\\s+(?<bucket>\\S+)\\s+\\[(?<timestamp>[^\\]]+)\\]\\s+(?<c_ip>[\\w*.:-]+)\\s+(?<cs_userid>\\S+)\\s+(?<req_id>\\S+)\\s+(?<op>\\S+)\\s+(?<cs_key>\\S+)\\s+\"(?<cs_method>\\S+)\\s+(?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))?\\s+(?<cs_version>\\S+)\"\\s+(?<sc_status>\\d+|-)\\s+(?<sc_error_code>\\S+)\\s+(?<sc_bytes>\\d+|-)\\s+(?<obj_size>\\d+|-)\\s+(?<total_time>\\d+|-)\\s+(?<turn_around_time>\\d+|-)\\s+\"(?<cs_referer>.*?)\"\\s+\"(?<cs_user_agent>.*?)\"\\s+(?<version_id>\\S+)\\s+(?<host_id>\\S+)\\s+(?<sig_version>\\S+)\\s+(?<cipher_suite>\\S+)\\s+(?<auth_type>\\S+)\\s+(?<cs_host>\\S+)\\s+(?<tls_version>\\S+)$"
}
},
"level-field": "sc_status",
"level": {
"error": "^[^123].*"
},
"opid-field": "c_ip",
"value": {
"owner": {
"kind": "string",
"identifier": true,
"description": "The bucket owner"
},
"bucket": {
"kind": "string",
"identifier": true,
"description": "The bucket"
},
"c_ip": {
"kind": "string",
"collate": "ipaddress",
"identifier": true,
"description": "The client IP address"
},
"cs_userid": {
"kind": "string",
"identifier": true,
"description": "The user ID passed from the client to the server"
},
"req_id": {
"kind": "string",
"description": "The request ID"
},
"op": {
"kind": "string",
"identifier": true,
"description": "The operation"
},
"cs_key": {
"kind": "string",
"identifier": true,
"description": "The key for the bucket"
},
"cs_method": {
"kind": "string",
"identifier": true,
"description": "The request method"
},
"cs_uri_stem": {
"kind": "string",
"identifier": true,
"description": "The path part of the request URI"
},
"cs_uri_query": {
"kind": "string",
"description": "The query parameters in the request URI"
},
"cs_version": {
"kind": "string",
"identifier": true,
"description": "The client's HTTP version"
},
"sc_status": {
"kind": "integer",
"foreign-key": true,
"rewriter": ";SELECT :sc_status || ' (' || (SELECT message FROM http_status_codes WHERE status = :sc_status) || ') '",
"description": "The status code returned by the server"
},
"sc_error_code": {
"kind": "string",
"identifier": true,
"description": "The Amazon S3 error code"
},
"sc_bytes": {
"kind": "integer",
"description": "The number of bytes returned by the server"
},
"obj_size": {
"kind": "integer",
"description": "The size of the object"
},
"total_time": {
"kind": "integer",
"description": "The total time taken to satisfy the request"
},
"turn_around_time": {
"kind": "integer",
"description": "The turn around time"
},
"cs_referer": {
"kind": "string",
"identifier": true,
"description": "The client's referrer"
},
"cs_user_agent": {
"kind": "string",
"identifier": true,
"description": "The client's HTTP agent"
},
"version_id": {
"kind": "string",
"identifier": true,
"description": "The version ID"
},
"host_id": {
"kind": "string",
"identifier": true,
"description": "The host ID"
},
"sig_version": {
"kind": "string",
"identifier": true,
"description": "The signature version"
},
"cipher_suite": {
"kind": "string",
"identifier": true,
"description": "The SSL layer negotiated cipher suite"
},
"auth_type": {
"kind": "string",
"identifier": true,
"description": "The type of request authentication used"
},
"cs_host": {
"kind": "string",
"identifier": true,
"description": "The endpoint used to connect to S3"
},
"tls_version": {
"kind": "string",
"identifier": true,
"description": "The TLS version negotiated by the client"
}
},
"sample": [
{
"line": "b659b576cff1e15e4c0313ff8930fba9f53e6794567f5c60dab3abf2f8dfb6cc www.example.com [10/Feb/2012:16:42:07 -0500] 1.2.3.4 arn:aws:iam::179580289999:user/phillip.boss EB3502676500C6BE WEBSITE.GET.OBJECT index \"GET /index HTTP/1.1\" 200 - 368 368 10 9 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11\""
},
{
"line": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket1 [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /awsexamplebucket1?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket1.s3.us-west-1.amazonaws.com TLSV1.1"
}
]
}
}
|