I am currently using the Python library watchtower to stream JSON log files from a device to CloudWatch.
I now want to use AWS Kinesis Data Firehose to move the logs to Redshift. I am following this tutorial: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#FirehoseExample
I am now setting up a subscription filter to move the logs. I would like to filter by the IP address the logs are streamed from. This article discusses implementing filters. Here is what I found:
{ $.sourceIPAddress != 123.123.* }
The only problem is, I don't know how if CloudWatch even stores the source IP Address. Is there some way to query CloudWatch to get the source IP address?
You can query it if it's part of the log you are sending to the cloudwatch-logs. So if there is a json field "sourceIPAddress" in the log you can use your filter -
{ $.sourceIPAddress != 123.123.* }
You can check the content of the log in the log-group/log-stream.