Clarification and Assistance for Log Access in Central Log Bucket

Question

Clarification and Assistance for Log Access in Central Log Bucket

Closed this issue 8 months ago · 4 comments

Hello, and thank you for this project.

While experimenting with LZA, a specific use case has prompted some questions. I created a CloudWatch log group in a child account and added a dummy log entry to observe the log archival to the central log bucket. In the event that access to a log from the central bucket becomes necessary, we'd like to understand the steps involved.

We tried logging in to the log archive account and attempt to download the log but thought there might be an issue with the encryption as the file is not readable.(attached below)

Any assistance on this matter would be greatly appreciated.

Answer 1 · 2023-11-07T22:23:46.000Z

Hi @dgokcin ! Thank you for reaching out. The CloudWatch Logs are being transferred in native format by Kinesis Firehose, per our documentation. We were running into issues with parquet format, and as a result had to change the file format to what the service natively supports. To work around this issue, you can rename the file with appending the json.gz file extension (e.g. test -> test.json.gz).

Please let me know if this workaround works for you.

Answer 2 · 2023-11-07T22:26:59.000Z

@dgokcin - the raw file is compressed. I would append .zip and uncompress the file to be able to read the content of the downloaded file.

Answer 3 · 2023-11-08T10:42:26.000Z

Thanks for the reply! I ended up using zcat as described in aws cloudwatch logs.

Answer 4 · 2023-11-08T18:46:14.000Z

Thank you for the confirmation, @dgokcin . I will go ahead and close this issue out now. If you have any other questions or concerns, please do not hesitate to reach out again.