DEV Community

Cover image for How to search logs in S3/Azure/GCP storage fast and cheap using cloudgrep
chris doman
chris doman

Posted on

How to search logs in S3/Azure/GCP storage fast and cheap using cloudgrep

#aws #gcp #azure

cloudgrep searches cloud storage. It currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3, Azure Storage or Google Cloud Storage.

You can get it at https://github.com/cado-security/cloudgrep

Why?

  • Directly searching cloud storage, without indexing logs into a SIEM or Log Analysis tool, can be faster and cheaper.
  • There is no need to wait for logs to be ingested, indexed, and made available for searching.
  • It searches files in parallel for speed.
  • This may be of use when debugging applications, or investigating a security incident.

Image description

Example

Simple example:

./cloudgrep --bucket test-s3-access-logs --query 9RXXKPREHHTFQD77
python3 cloudgrep.py -b test-s3-access-logs -q 9RXXKPREHHTFQD77
Enter fullscreen mode Exit fullscreen mode

Simple Azure example:

python3 cloudgrep.py -an some_account -cn some_container -q my_search
Enter fullscreen mode Exit fullscreen mode

Simple Google example:

python3 cloudgrep.py -gb my-gcp-bucket -q my_search
Enter fullscreen mode Exit fullscreen mode

More complicated example:

python3 cloudgrep.py -b test-s3-access-logs --prefix "logs/" --filename ".log" -q 9RXXKPREHHTFQD77 -s "2023-01-09 20:30:00" -e "2023-01-09 20:45:00" --file_size 10000 --debug
Enter fullscreen mode Exit fullscreen mode

Saving the output to a file:

python3 cloudgrep.py -b test-s3-access-logs -q 9RXXKPREHHTFQD77 --hide_filenames > matching_events.log
Enter fullscreen mode Exit fullscreen mode

Example output:

Bucket is in region: us-east-2 : Search from the same region to avoid egress charges.
Searching 11 files in test-s3-access-logs for 9RXXKPREHHTFQD77...
access2023-01-09-20-34-20-EAC533CB93B4ACBE: abbd82b5ad5dc5d024cd1841d19c0cf2fd7472c47a1501ececde37fe91adc510 bucket-72561-s3bucketalt-1my9piwesfim7 [09/Jan/2023:19:20:00 +0000] 1.125.222.333 arn:aws:sts::000011110470:assumed-role/bucket-72561-myResponseRole-1WP2IOKDV7B4Y/1673265251.340187 9RXXKPREHHTFQD77 REST.GET.BUCKET - "GET /?list-type=2&prefix=-collector%2Fproject-&start-after=&encoding-type=url HTTP/1.1" 200 - 946 - 33 32 "-" "Boto3/1.21.24 Python/3.9.2 Linux/5.10.0-10-cloud-amd64 Botocore/1.24.46" - aNPuHKw== SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader bucket-72561-s3bucketalt-1my9piwesfim7.s3.us-east-2.amazonaws.com TLSv1.2 - -
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

kairatorozobekov profile image

Safe Content, Happy Users: Azure AI Content Safety

Kairat -

kelvinskell profile image

Deploying An Application To Amazon ECS: Everything You Need To Know

Kelvin Onuchukwu -

tiksangng profile image

Creating a custom domain name for AWS Elastic Beanstalk application

Dickson -

acontreras_mp profile image

AWS EC2 Instances purchasing options

Armando Contreras -