Query logs with Athena

Using Athena with CloudTrail logs is even easier than server access logs. With server access logs, you had to go to the Athena console to create a database and table, but with CloudTrail logging, Athena will automatically create a table for you.

To use Athena with CloudTrail logs, simply go to the CloudTrail event history and select Run advanced queries in Amazon Athena.

  1. Go to CloudTrail console. On left panel, select Event history, select Create Athena table.

S3

  1. for Storage location, select bucket aws-cloud-trail-logs-workshop which we are using to store logs then select Create table.

S3

  1. Confirm Athena table cloudtrail_logs_aws_cloudtrail_logs_workshop created.

S3

  1. Find select service Athena, then select Launch query editor.

S3 S3

  1. If this is the first time you use Athena, select Edit settings, if not, skip to step 10.

S3

  1. Click Browse S3.

S3

  1. Select 1 bucket to store query’s result, here we choose bucket logging-workshop-destination.

S3

  1. Check and click Save.

S3

  1. Check and click Editor to return.

S3

  1. Copy the query into the editor, make sure you are using the right table.This query will filter operation GetObject whihc have eventsource is s3.amazonaws.com. select Run.
SELECT *
FROM cloudtrail_logs_aws_cloudtrail_logs_workshop
WHERE
    eventsource = 's3.amazonaws.com' AND
    eventname in ('GetObject')

S3

  1. Check the result below.

S3

  1. Finally, run this query to drop the table.
DROP TABLE `cloudtrail_logs_aws_cloudtrail_logs_workshop`

S3