Table: aws_cloudwatch_log_metric_filter - Query AWS CloudWatch log metric filters using SQL
The AWS CloudWatch Log Metric Filter is a feature within AWS CloudWatch that enables you to extract information from the logs and create custom metrics. These custom metrics can be used for detailed monitoring and alarming based on patterns that might appear in your logs. This is a powerful tool for identifying trends, troubleshooting issues, and setting up real-time monitoring across your AWS resources.
Table Usage Guide
The aws_cloudwatch_log_metric_filter
table in Steampipe provides you with information about log metric filters within AWS CloudWatch. This table allows you, as a DevOps engineer, to query filter-specific details, including the associated log group, filter pattern, and metric transformations. You can utilize this table to gather insights on filters, such as filter patterns used, metrics generated from log data, and more. The schema outlines for you the various attributes of the log metric filter, including the filter name, creation date, filter pattern, and associated log group.
Examples
Basic AWS cloudwatch log metric info
Explore the essential characteristics and setup of your AWS CloudWatch log metrics. This query can help you assess the overall configuration and performance metrics of your logs, providing valuable insights for monitoring and optimizing your AWS environment.
select name, log_group_name, creation_time, filter_pattern, metric_transformation_name, metric_transformation_namespace, metric_transformation_valuefrom aws_cloudwatch_log_metric_filter;
select name, log_group_name, creation_time, filter_pattern, metric_transformation_name, metric_transformation_namespace, metric_transformation_valuefrom aws_cloudwatch_log_metric_filter;
List the cloudwatch metric filters that sends error logs to cloudwatch log groups
Identify instances where specific metric filters are configured to send error logs to Cloudwatch log groups. This allows for effective error tracking and proactive issue resolution in cloud environments.
select name, log_group_name, filter_patternfrom aws_cloudwatch_log_metric_filterwhere filter_pattern ilike '%error%';
select name, log_group_name, filter_patternfrom aws_cloudwatch_log_metric_filterwhere filter_pattern like '%error%';
Number of metric filters attached to each cloudwatch log group
Determine the areas in which Cloudwatch log groups have multiple metric filters attached. This can help in managing and optimizing your AWS Cloudwatch setup by understanding the distribution of metric filters across different log groups.
select log_group_name, count(name) as metric_filter_countfrom aws_cloudwatch_log_metric_filtergroup by log_group_name;
select log_group_name, count(name) as metric_filter_countfrom aws_cloudwatch_log_metric_filtergroup by log_group_name;
Query examples
Control examples
- All Controls > CloudWatch > Ensure AWS Organizations changes are monitored
- CIS v1.2.0 > 3 Monitoring > 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.2.0 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.2.0 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.2.0 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.2.0 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.2.0 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.2.0 > 3 Monitoring > 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.2.0 > 3 Monitoring > 3.3 Ensure a log metric filter and alarm exist for usage of "root" account
- CIS v1.2.0 > 3 Monitoring > 3.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.2.0 > 3 Monitoring > 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.2.0 > 3 Monitoring > 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.2.0 > 3 Monitoring > 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.2.0 > 3 Monitoring > 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.2.0 > 3 Monitoring > 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.3.0 > 4 Monitoring > 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.3.0 > 4 Monitoring > 4.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.3.0 > 4 Monitoring > 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.3.0 > 4 Monitoring > 4.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.3.0 > 4 Monitoring > 4.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.3.0 > 4 Monitoring > 4.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.3.0 > 4 Monitoring > 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
- CIS v1.3.0 > 4 Monitoring > 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.3.0 > 4 Monitoring > 4.3 Ensure a log metric filter and alarm exist for usage of "root" account
- CIS v1.3.0 > 4 Monitoring > 4.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.3.0 > 4 Monitoring > 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.3.0 > 4 Monitoring > 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.3.0 > 4 Monitoring > 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.3.0 > 4 Monitoring > 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.3.0 > 4 Monitoring > 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.4.0 > 4 Monitoring > 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.4.0 > 4 Monitoring > 4.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.4.0 > 4 Monitoring > 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.4.0 > 4 Monitoring > 4.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.4.0 > 4 Monitoring > 4.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.4.0 > 4 Monitoring > 4.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.4.0 > 4 Monitoring > 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
- CIS v1.4.0 > 4 Monitoring > 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.4.0 > 4 Monitoring > 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
- CIS v1.4.0 > 4 Monitoring > 4.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.4.0 > 4 Monitoring > 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.4.0 > 4 Monitoring > 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.4.0 > 4 Monitoring > 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.4.0 > 4 Monitoring > 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.4.0 > 4 Monitoring > 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.5.0 > 4 Monitoring > 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.5.0 > 4 Monitoring > 4.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.5.0 > 4 Monitoring > 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.5.0 > 4 Monitoring > 4.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.5.0 > 4 Monitoring > 4.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.5.0 > 4 Monitoring > 4.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.5.0 > 4 Monitoring > 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
- CIS v1.5.0 > 4 Monitoring > 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.5.0 > 4 Monitoring > 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
- CIS v1.5.0 > 4 Monitoring > 4.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.5.0 > 4 Monitoring > 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.5.0 > 4 Monitoring > 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.5.0 > 4 Monitoring > 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.5.0 > 4 Monitoring > 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.5.0 > 4 Monitoring > 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v2.0.0 > 4 Monitoring > 4.1 Ensure unauthorized API calls are monitored
- CIS v2.0.0 > 4 Monitoring > 4.10 Ensure security group changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.11 Ensure Network Access Control Lists (NACL) changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.12 Ensure changes to network gateways are monitored
- CIS v2.0.0 > 4 Monitoring > 4.13 Ensure route table changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.14 Ensure VPC changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.15 Ensure AWS Organizations changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.2 Ensure management console sign-in without MFA is monitored
- CIS v2.0.0 > 4 Monitoring > 4.3 Ensure usage of 'root' account is monitored
- CIS v2.0.0 > 4 Monitoring > 4.4 Ensure IAM policy changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.5 Ensure CloudTrail configuration changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.6 Ensure AWS Management Console authentication failures are monitored
- CIS v2.0.0 > 4 Monitoring > 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
- CIS v2.0.0 > 4 Monitoring > 4.8 Ensure S3 bucket policy changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.9 Ensure AWS Config configuration changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.1 Ensure unauthorized API calls are monitored
- CIS v3.0.0 > 4 Monitoring > 4.10 Ensure security group changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.11 Ensure Network Access Control Lists (NACL) changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.12 Ensure changes to network gateways are monitored
- CIS v3.0.0 > 4 Monitoring > 4.13 Ensure route table changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.14 Ensure VPC changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.15 Ensure AWS Organizations changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.2 Ensure management console sign-in without MFA is monitored
- CIS v3.0.0 > 4 Monitoring > 4.3 Ensure usage of 'root' account is monitored
- CIS v3.0.0 > 4 Monitoring > 4.4 Ensure IAM policy changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.5 Ensure CloudTrail configuration changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.6 Ensure AWS Management Console authentication failures are monitored
- CIS v3.0.0 > 4 Monitoring > 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
- CIS v3.0.0 > 4 Monitoring > 4.8 Ensure S3 bucket policy changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.9 Ensure AWS Config configuration changes are monitored
- Ensure a log metric filter and alarm exist for AWS Config configuration changes
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- Ensure a log metric filter and alarm exist for changes to network gateways
- Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for IAM policy changes
- Ensure a log metric filter and alarm exist for route table changes
- Ensure a log metric filter and alarm exist for S3 bucket policy changes
- Ensure a log metric filter and alarm exist for security group changes
- Ensure a log metric filter and alarm exist for unauthorized API calls
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Ensure a log metric filter and alarm exist for VPC changes
Schema for aws_cloudwatch_log_metric_filter
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
creation_time | timestamp with time zone | The creation time of the metric filter | |
filter_pattern | text | A symbolic description of how CloudWatch Logs should interpret the data in each log event | |
log_group_name | text | = | The name of the log group |
metric_transformation_name | text | = | The name of the CloudWatch metric |
metric_transformation_namespace | text | = | A custom namespace to contain metric in CloudWatch. Namespaces are used to group together metrics that are similar |
metric_transformation_value | text | The value to publish to the CloudWatch metric when a filter pattern matches a log event | |
name | text | = | The name of the metric filter |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_cloudwatch_log_metric_filter