AWS ElasticSearch不接受某些CloudTrail文档 [英] AWS ElasticSearch does not accept certain CloudTrail documents

问题描述

Update2

有人指出了这个项目.我会根据自己喜欢的解决方案来实现它.

I was pointed to this project. I will implement it as I like the solution.

https://github.com/chariotsolutions/aws-examples/tree/trunk/cloudtrail_to_elasticsearch

原始问题:

某些类型的AWS CloudTrail事件无法访问AWS ElasticSearch.最后，我将范围缩小到一个非常简化的JSON文档，该文档失败了，在这一点上，我可以使用一些见解.

Certain type of AWS CloudTrail events does not get to AWS ElasticSearch. Finally, I narrowed down to a very simplified JSON document that fails, and at this point, I could use some insights.

因此，尽管如此，我还是每次都会发布一些随机索引/_doc

So despite that, I do POST some-random-index-every-time/_doc

POST ddd/_doc

{
  "eventVersion": "1.05",
  "eventTime": "2020-10-21T00:37:26Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutBucketPolicy",
  "awsRegion": "eu-central-1",
  "errorCode": "AccessDenied",
  "errorMessage": "Access Denied",
  "requestParameters": {
    "bucketPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Principal": {
            "Service": "logs.eu-central-1.amazonaws.com"
          }
        },
        {
          "Principal": {
            "Service": "logs.eu-central-1.amazonaws.com"
          }
        },
        {
          "Principal": {
            "AWS": [
              "arn:aws:iam::1234567890:root"
            ]
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::1234567890:root"
            ]
          },
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::whatever/*"
        },
        {
          "Sid": "ProtectLogs",
          "Effect": "Deny",
          "Principal": "*"
        }
      ]
    }
  }
}

我一直都遇到相同的错误:

I am getting the same error all the time:

{
  "type": "illegal_argument_exception",
  "reason": "mapper [requestParameters.bucketPolicy.Statement.Principal] of different type, current_type [text], merged_type [ObjectMapper]"
}

如果我从JSON中删除了此代码块-文档被接受:

If I remove this block from JSON - document gets accepted:

{
  "Sid": "ProtectLogs",
  "Effect": "Deny",
  "Principal": "*"
}

更新1 :

我认为我应该创建一个模板并为此字段定义一个映射，以免ES混淆

I think I should create a template and define a mapping for this field so ES doesn't get mixed up

推荐答案

发生此问题的原因是 Principal 字段位于同一级别，但在您的第一个块中，其类型为对象如下所示

The issue is happening due to Principal field which is present at the same level but in your first block its of type object like below

   {
          "Principal": {
            "Service": "logs.eu-central-1.amazonaws.com"
          }
        },

在最后一个块中，该块在您删除后起作用，它的类型为 text ，它创建了问题，错误消息也非常清楚，并抱怨合并类型不兼容， text转换为 object 类型.

And in last block, which when you removed it worked, it is of type text, which creates the issue and error message is also very clear and complaining about incompatible merge types, text to object type.

您可以尝试将字段重命名为 Principal_new ，而不是删除该块，它将起作用，否则，将为所有索引字段创建静态映射/模板，以使这些字段不会混在一起，你已经猜到了

Instead of removing the block, you can try renaming the field to Principal_new and it will work, otherwise create a static mapping/template for all your index fields so that these fields are not mixed up, which you already guessed

这篇关于AWS ElasticSearch不接受某些CloudTrail文档的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！