sql 适用于CloudTrail日志的AWS Athena表
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sql 适用于CloudTrail日志的AWS Athena表相关的知识,希望对你有一定的参考价值。
CREATE EXTERNAL TABLE IF NOT EXISTS cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
type:STRING,
principalid:STRING,
arn:STRING,
accountid:STRING,
invokedby:STRING,
accesskeyid:STRING,
userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
mfaauthenticated:STRING,
creationdate:STRING>,
sessionissuer:STRUCT<
type:STRING,
principalId:STRING,
arn:STRING,
accountId:STRING,
userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
ARN:STRING,
accountId:STRING,
type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
)
PARTITIONED BY (year int, month int, day int)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://{BUCKET}/AWSLogs/{ACCOUNTID}/CloudTrail/{REGION}/';
/* Create partitions */
ALTER TABLE cloudtrail_logs add partition (year=2017, month=1, day=1) LOCATION "s3://{BUCKET}/AWSLogs/{ACCOUNTID}/CloudTrail/{REGION}/2017/01/01/";
以上是关于sql 适用于CloudTrail日志的AWS Athena表的主要内容,如果未能解决你的问题,请参考以下文章
AWS学习笔记--启用CloudTrail记录AWS 账户操作日志
CloudTrail 的工作原理
使用 AWS CloudTrail 记录 IAM 和 AWS STS API 调用
AWS 组织中的 Cloudtrail 显式拒绝失败
[AWS][安全] 监控登录 Console 失败
Cloudwatch 警报到 Slack