feat(client-cloudwatch-logs): Added CloudWatch Logs Transformer support for converting CloudTrail, VPC Flow, EKS Audit, AWS WAF and Route53 Resolver logs to OCSF v1.1 format.

Author: awstools

clients/client-cloudwatch-logs/src/commands/GetTransformerCommand.ts

@@ -135,6 +135,11 @@ export interface GetTransformerCommandOutput extends GetTransformerResponse, __M
  * //       parseRoute53: { // ParseRoute53
  * //         source: "STRING_VALUE",
  * //       },
+ * //       parseToOCSF: { // ParseToOCSF
+ * //         source: "STRING_VALUE",
+ * //         eventSource: "CloudTrail" || "Route53Resolver" || "VPCFlow" || "EKSAudit" || "AWSWAF", // required
+ * //         ocsfVersion: "V1.1", // required
+ * //       },
  * //       parsePostgres: { // ParsePostgres
  * //         source: "STRING_VALUE",
  * //       },

clients/client-cloudwatch-logs/src/commands/PutLogEventsCommand.ts

@@ -43,12 +43,10 @@ export interface PutLogEventsCommandOutput extends PutLogEventsResponse, __Metad
  *           all event messages in UTF-8, plus 26 bytes for each log event.</p>
  *             </li>
  *             <li>
- *                <p>None of the log events in the batch can be more than 2 hours in the future.</p>
+ *                <p>Events more than 2 hours in the future are rejected while processing remaining valid events.</p>
  *             </li>
  *             <li>
- *                <p>None of the log events in the batch can be more than 14 days in the past. Also,
- *           none of the log events can be from earlier than the retention period of the log
- *           group.</p>
+ *                <p>Events older than 14 days or preceding the log group's retention period are rejected while processing remaining valid events.</p>
  *             </li>
  *             <li>
  *                <p>The log events in the batch must be in chronological order by their timestamp. The
@@ -58,7 +56,7 @@ export interface PutLogEventsCommandOutput extends PutLogEventsResponse, __Metad
  *             <code>yyyy-mm-ddThh:mm:ss</code>. For example, <code>2017-09-15T13:45:30</code>.) </p>
  *             </li>
  *             <li>
- *                <p>A batch of log events in a single request cannot span more than 24 hours. Otherwise, the operation fails.</p>
+ *                <p> A batch of log events in a single request must be in a chronological order. Otherwise, the operation fails.</p>
  *             </li>
  *             <li>
  *                <p>Each log event can be no larger than 1 MB.</p>
@@ -67,14 +65,15 @@ export interface PutLogEventsCommandOutput extends PutLogEventsResponse, __Metad
  *                <p>The maximum number of log events in a batch is 10,000.</p>
  *             </li>
  *             <li>
- *                <important>
- *                   <p>The quota of five requests per second per log stream
- *           has been removed. Instead, <code>PutLogEvents</code> actions are throttled based on a
- *         per-second per-account quota. You can request an increase to the per-second throttling
- *         quota by using the Service Quotas service.</p>
- *                </important>
+ *                <p>For valid events (within 14 days in the past to 2 hours in future), the time span in a single batch cannot exceed 24 hours. Otherwise, the operation fails.</p>
  *             </li>
  *          </ul>
+ *          <important>
+ *             <p>The quota of five requests per second per log stream
+ *       has been removed. Instead, <code>PutLogEvents</code> actions are throttled based on a
+ *       per-second per-account quota. You can request an increase to the per-second throttling
+ *       quota by using the Service Quotas service.</p>
+ *          </important>
  *          <p>If a call to <code>PutLogEvents</code> returns "UnrecognizedClientException" the most
  *       likely cause is a non-valid Amazon Web Services access key ID or secret key. </p>
  * @example

clients/client-cloudwatch-logs/src/commands/PutTransformerCommand.ts

@@ -145,6 +145,11 @@ export interface PutTransformerCommandOutput extends __MetadataBearer {}
  *       parseRoute53: { // ParseRoute53
  *         source: "STRING_VALUE",
  *       },
+ *       parseToOCSF: { // ParseToOCSF
+ *         source: "STRING_VALUE",
+ *         eventSource: "CloudTrail" || "Route53Resolver" || "VPCFlow" || "EKSAudit" || "AWSWAF", // required
+ *         ocsfVersion: "V1.1", // required
+ *       },
  *       parsePostgres: { // ParsePostgres
  *         source: "STRING_VALUE",
  *       },

clients/client-cloudwatch-logs/src/commands/TestTransformerCommand.ts

@@ -126,6 +126,11 @@ export interface TestTransformerCommandOutput extends TestTransformerResponse, _
  *       parseRoute53: { // ParseRoute53
  *         source: "STRING_VALUE",
  *       },
+ *       parseToOCSF: { // ParseToOCSF
+ *         source: "STRING_VALUE",
+ *         eventSource: "CloudTrail" || "Route53Resolver" || "VPCFlow" || "EKSAudit" || "AWSWAF", // required
+ *         ocsfVersion: "V1.1", // required
+ *       },
  *       parsePostgres: { // ParsePostgres
  *         source: "STRING_VALUE",
  *       },

clients/client-cloudwatch-logs/src/models/models_0.ts

@@ -3649,6 +3649,23 @@ export const EntityRejectionErrorType = {
  */
 export type EntityRejectionErrorType = (typeof EntityRejectionErrorType)[keyof typeof EntityRejectionErrorType];
 
+/**
+ * @public
+ * @enum
+ */
+export const EventSource = {
+  AWSWAF: "AWSWAF",
+  CLOUD_TRAIL: "CloudTrail",
+  EKS_AUDIT: "EKSAudit",
+  ROUTE53_RESOLVER: "Route53Resolver",
+  VPC_FLOW: "VPCFlow",
+} as const;
+
+/**
+ * @public
+ */
+export type EventSource = (typeof EventSource)[keyof typeof EventSource];
+
 /**
  * <p>Represents a matched event.</p>
  * @public
@@ -5123,6 +5140,45 @@ export interface ParseRoute53 {
   source?: string | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const OCSFVersion = {
+  V1_1: "V1.1",
+} as const;
+
+/**
+ * @public
+ */
+export type OCSFVersion = (typeof OCSFVersion)[keyof typeof OCSFVersion];
+
+/**
+ * <p>This processor converts logs into <a href="https://ocsf.io">Open Cybersecurity Schema Framework (OCSF)</a> events.</p>
+ *          <p>For more information about this processor including examples, see <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseToOCSF">
+ *       parseToOSCF</a> in the <i>CloudWatch Logs User Guide</i>.</p>
+ * @public
+ */
+export interface ParseToOCSF {
+  /**
+   * <p>The path to the field in the log event that you want to parse. If you omit this value, the whole log message is parsed.</p>
+   * @public
+   */
+  source?: string | undefined;
+
+  /**
+   * <p>Specify the service or process that produces the log events that will be converted with this processor.</p>
+   * @public
+   */
+  eventSource: EventSource | undefined;
+
+  /**
+   * <p>Specify which version of the OCSF schema to use for the transformed log events.</p>
+   * @public
+   */
+  ocsfVersion: OCSFVersion | undefined;
+}
+
 /**
  * <p>Use this processor to parse Amazon VPC vended logs, extract fields, and and convert them into a JSON format. This processor always
  *        processes the entire log event message.</p>
@@ -5459,6 +5515,12 @@ export interface Processor {
    */
   parseRoute53?: ParseRoute53 | undefined;
 
+  /**
+   * <p>Use this processor to convert logs into Open Cybersecurity Schema Framework (OCSF) format</p>
+   * @public
+   */
+  parseToOCSF?: ParseToOCSF | undefined;
+
   /**
    * <p>Use this parameter to include the <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parsePostGres">
    *        parsePostGres</a> processor in your transformer.</p>
@@ -6447,6 +6509,10 @@ export interface PutDeliverySourceRequest {
    *          <code>AD_DECISION_SERVER_LOGS</code>, <code>MANIFEST_SERVICE_LOGS</code>, and <code>TRANSCODE_LOGS</code>.</p>
    *             </li>
    *             <li>
+   *                <p>For Entity Resolution, the valid value is
+   *          <code>WORKFLOW_LOGS</code>.</p>
+   *             </li>
+   *             <li>
    *                <p>For IAM Identity Center, the valid value is
    *          <code>ERROR_LOGS</code>.</p>
    *             </li>
@@ -6455,8 +6521,8 @@ export interface PutDeliverySourceRequest {
    *          <code>EVENT_LOGS</code>.</p>
    *             </li>
    *             <li>
-   *                <p>For Amazon SES mail manager, the valid value is
-   *          <code>APPLICATION_LOG</code>.</p>
+   *                <p>For Amazon SES mail manager, the valid values are
+   *          <code>APPLICATION_LOG</code> and <code>TRAFFIC_POLICY_DEBUG_LOGS</code>.</p>
    *             </li>
    *             <li>
    *                <p>For Amazon WorkMail, the valid values are

clients/client-cloudwatch-logs/src/protocols/Aws_json1_1.ts

@@ -328,6 +328,7 @@ import {
   ParseKeyValue,
   ParsePostgres,
   ParseRoute53,
+  ParseToOCSF,
   ParseVPC,
   ParseWAF,
   Processor,
@@ -3935,6 +3936,8 @@ const se_MetricTransformations = (input: MetricTransformation[], context: __Serd
 
 // se_ParseRoute53 omitted.
 
+// se_ParseToOCSF omitted.
+
 // se_ParseVPC omitted.
 
 // se_ParseWAF omitted.
@@ -4441,6 +4444,8 @@ const de_MetricTransformations = (output: any, context: __SerdeContext): MetricT
 
 // de_ParseRoute53 omitted.
 
+// de_ParseToOCSF omitted.
+
 // de_ParseVPC omitted.
 
 // de_ParseWAF omitted.