I am trying to extract the AWS CloudTrail lookup events by calling the lookupEvents method provided in the Nodejs sdk. My code is below. I am able to extract the events but from the beginning of the time but not from the dates I have specified.
What should be the format of StartTime and EndTime.
I tried the one shown in the documentation.
EndTime: new Date || 'Wed Dec 31 1969 16:00:00 GMT-0800 (PST)' || 123456789,
let params = {
LookupAttributes: [
{
AttributeKey: "EventName",
AttributeValue: event.EventName
},
{
AttributeKey: "EventSource",
AttributeValue: event.EventSource
},
{
AttributeKey: "StartTime",
AttributeValue: "Tue Mar 09 2021 00:00:00 GMT+0000"
},
{
AttributeKey: "EndTime",
AttributeValue: "Tue Mar 11 2021 00:00:00 GMT+0000"
}
]
};
const cloudtrail = new AWS.CloudTrail({ region: event.region });
let data;
let count = 0;
console.log(`params are ${JSON.stringify(params)}`)
try {
do {
console.log(`Before method...`)
data = await cloudtrail.lookupEvents(params).promise();
console.log(`data so far is ${data}`);
if (data) {
console.log(`data retrieved is ${JSON.stringify(data)}`);
count += data.Events.length;
if (data.NextToken) {
params.NextToken = data.NextToken;
}
}
} while (data.NextToken);
console.log(`The count of Events matching criteria are ${count}.`);
} catch (err) {
console.error(`Error is ${err.stack}`);
}
Like Balu mentioned in the previous answer, the StartTime and EndTime are not part of LookUpAtributes. They are to be mentioned separately in the params as key-value pairs.
The following is my AWS Lambda code which is more generic and can take any EventName and EventSource as well as the region as part of JSON input received by the Lambda.
The code is written to avoid callback.
const AWS = require('aws-sdk');
exports.handler = async event => {
console.log(new Date().toUTCString() + "\n");
const today = new Date();
today.setHours(0);
today.setMinutes(0);
today.setSeconds(0);
const utcToday = new Date(Date.UTC(today.getFullYear(), today.getMonth(), today.getDate(), 0, 0, 0, 0));
const yesterday = new Date(today.getTime());
yesterday.setDate(yesterday.getDate() - 1);
const utcYesterday = new Date(Date.UTC(yesterday.getFullYear(), yesterday.getMonth(), yesterday.getDate(), 0, 0, 0, 0));
console.log(`today is ${today.toString()}.`);
console.log(`yesterday is ${yesterday.toString()}.`);
console.log(`utcToday is ${utcToday.toString()}.`);
console.log(`utcYesterday is ${utcYesterday.toString()}.`);
let params = {
LookupAttributes: [
{
AttributeKey: "EventName",
AttributeValue: event.EventName
},
{
AttributeKey: "EventSource",
AttributeValue: event.EventSource
}
],
StartTime: utcYesterday.getTime() / 1000,
EndTime: utcToday.getTime() / 1000
};
const cloudtrail = new AWS.CloudTrail({ region: event.region });
let data;
let count = 0;
console.log(`params are ${JSON.stringify(params)}`)
try {
do {
console.log(`Before method...`)
data = await cloudtrail.lookupEvents(params).promise();
console.log(`data so far is ${data}`);
if (data) {
console.log(`data retrieved is ${JSON.stringify(data)}`);
count += data.Events.length;
if (data.NextToken) {
params.NextToken = data.NextToken;
}
}
} while (data.NextToken);
console.log(`The count of Events matching criteria are ${count}.`);
} catch (err) {
console.error(`Error is ${err.stack}`);
}
}