A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year. Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.
What should the security engineer do to meet these requirements with the LEAST effort?
A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URL.
B. Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.
C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.
D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.
C
一家公司在 Apache Web 服务器上托管 Web 应用程序。该应用程序运行在 Auto Scaling 组中的 Amazon EC2实例上。公司已配置 EC2实例将 Apache Web 服务器日志发送到已配置为1年后过期的 Amazon CloudWatch Logs 组。最近,公司在 Apache Web 服务器日志中发现,一个特定 IP 地址正在向 Web 应用程序发送可疑请求。安全工程师希望分析过去一周的 Apache Web 服务器日志,以确定该 IP 地址发送的请求数量以及对应的 URL。
如何以最少操作分析 CloudWatch Logs 中特定 IP 地址的请求数量及 URL?
技巧:排除明显错误选项,在没有明显错误的选项中选择最合理的选项。
A. 不正确。将 CloudWatch Logs 组数据导出到 Amazon S3。使用 Amazon Macie 查询日志中特定 IP 地址和请求的 URL。导出数据增加操作步骤,且 Macie 主要用于敏感数据发现,非日志查询工具,不符合最少操作要求。
B. 不正确。配置 CloudWatch Logs 订阅以将日志组流式传输到 Amazon OpenSearch Service 集群。使用 OpenSearch Service 分析特定 IP 地址和请求的 URL。需配置订阅过滤器及 OpenSearch Service 集群,操作复杂度高,非最少操作方案。
C. 正确。使用 CloudWatch Logs Insights 和自定义查询语法分析 CloudWatch 日志中特定 IP 地址和请求的 URL。直接在 CloudWatch Logs 中执行查询,无需导出数据或配置其他服务,操作最少且高效。
D. 不正确。将 CloudWatch Logs 组数据导出到 Amazon S3。使用 AWS Glue 爬取 S3存储桶中仅包含特定 IP 地址的日志条目。使用 AWS Glue 查看结果。导出数据后需配置 Glue 爬虫并生成表,操作步骤多于直接使用 CloudWatch Logs Insights,非最优选择。
日志查询效率:
CloudWatch Logs Insights 支持自定义查询语法,可快速筛选特定 IP 地址及 URL。
服务集成性:CloudWatch Logs 与 OpenSearch Service 或 S3的集成需额外配置(如订阅过滤器或导出任务),增加操作复杂度。AWS Glue 需爬取 S3数据并生成表,操作步骤多于直接使用 CloudWatch Logs Insights。
数据保留与访问:日志已存储在 CloudWatch Logs 中,无需导出即可查询,符合最少操作要求。