As a Logsearch user, I want to analyze all my AWS logs so that I can get on top of my account

[sopel]

This epic basically resembles the raison d'être for this project/repository. It will be broken down into separate stories per specific use case resp. AWS log type and mainly serves as a wrapper for gathering information until more appropriate contexts are available.

[sopel]

Use cases

The following use cases have been identified so far:

Logs

Log data usually needs to be read from S3 buckets, either by polling, or preferably after receiving a log delivery push notification (meanwhile available as a generic S3 object creation notification).

• As an AWS user, I want to analyze AWS CloudTrail logs so that I can reason about my account's security
  • see As an AWS user, I want to analyze AWS CloudTrail logs so that I can reason about my account's security #2 for details
  • see also Add AWS CloudTrail shipper cityindex-attic/logsearch#227 for a previous version of this story
• As an AWS user, I want to analyze AWS Config logs so that I can reason about my account's resource footprint/evolution
  • see As an AWS user, I want to analyze AWS Config logs so that I can reason about my account's resource footprint/evolution #6 for details
• As an AWS user, I want to analyze AWS CloudFront logs so that I can reason about my distribution's effectiveness
  • ℹ️ AWS CloudFront finally offers built in dashboards for this as of recently, see CloudFront Update – Trends, Metrics, Charts, More Timely Logs - however, this doesn't undermine the value of having the data available alongside other operational events for correlation etc.
• As an AWS user, I want to analyze Amazon S3 logs so that I can reason about my bucket's usage
  • see Overhaul how all this is going to work #7 for details
• As an AWS user, I want to analyze Amazon RDS logs so that I can reason about my database's performance
• As an AWS user, I want to analyze Amazon CloudWatch logs so that I can analyze arbitrary logs in turn
  • see also Add Amazon CloudWatch shipper cityindex-attic/logsearch#226 for a previous version of this story
• As an AWS user, I want to analyze AWS Account Billing logs so that I can correlate cost with operational metrics
  • ⁉️ The resp. log formats are fairly complex and granular, so this is likely out of scope for the time being?!
• As an AWS user, I want to analyze Elastic Load Balancing Access Logs
• As an AWS user, I want to analyze VPC Flow Logs so that I can reason about my account's network traffic

Events

Events generate push notifications, but the common and preferred pattern for consuming them reliably is subscribing an Amazon SQS queue to a SNS topic and consuming SQS messages in turn, see Queues/Streams below

• As an AWS user, I want to monitor Amazon SNS notifications so that I can correlate arbitrary events with operational logs and metrics
  • see also Add Amazon SNS shipper (Auto Scaling, CloudFormation) cityindex-attic/logsearch#245 for a previous version of this story
  • ❗ This is likely the super set of all more specific ones based on SNS down below, though these would likely still be differentiated regarding data mapping and dashboard composition etc.!
• As an AWS user, I want to analyze Auto Scaling notifications so that I can correlate resource lifecycle events with operational metrics
• As an AWS user, I want to analyze AWS CloudFormation notifications so that I can correlate resource lifecycle events with operational metrics
• As an AWS user, I want to analyze Amazon S3 notifications so that I can correlate resource lifecycle events with operational metrics

Queues/Streams

Queues/Streams usually need to be polled by workers that are auto scaling based on queue/stream metrics.

• As an AWS user, I want to ingest Amazon SQS messages from SQS queues so that I can analyze arbitrary messages
• As an AWS user, I want to ingest Amazon Kinesis events from Kinesis streams so that I can analyze arbitrary events
• As an AWS user, I want to ingest Amazon DynamoDB events from DynamoDB streams so that I can correlate resource lifecycle events with operational metrics
  • ❗ This is going to be pretty much the same as ingesting Kinesis event streams, insofar AWS has sufficiently aligned the resp. formats to be handled by a single library/solution.
  • ❗ Also worth noting that AWS has stated the goal of converging to only a few schemata for this purpose.

[sopel]

Log formats

The following log formats have been identified so far:

JSON

Most logs and events are facilitating JSON these days, and AWS has stated that they aim to converge to only a few schemata for this purpose.

CSV

Some logs like e.g. Amazon CloudFront and Amazon S3 are facilitating the common structured web server log formats. The AWS Account Billing Data is logged in CSV.

[dpb587]

Billing Logs started in 8c96bb7