引数となるイベントの形式がこんな感じになってて
{
"awslogs": {
"data": "H4sIAAAAAAAAAHWPwQqCQBCGX0Xm7EFtK+smZBEUgXoLCdMhFtKV3akI8d0bLYmibvPPN3wz00CJxmQnTO41whwWQRIctmEcB6sQbFC3CjW3XW8kxpOpP+OC22d1Wml1qZkQGtoMsScxaczKN3plG8zlaHIta5KqWsozoTYw3/djzwhpLwivWFGHGpAFe7DL68JlBUk+l7KSN7tCOEJ4M3/qOI49vMHj+zCKdlFqLaU2ZHV2a4Ct/an0/ivdX8oYc1UVX860fQDQiMdxRQEAAA=="
}
}
data
のvalueが加工されてるので、元の文字列からどうこのdata
を作るか、という話。
ドキュメントによると↑の文字列を↓こうやると元の文字列が取り出せるらしい。
$ echo -n "<Content of Data>" | base64 -d | zcat
なので、逆をすれば元の文字列から引数にする文字列に変換できる。
$ echo "<Original String>" | gzip | base64
で、元の文字列は↓こんな感じのjson
{
"owner": "111111111111",
"logGroup": "CloudTrail",
"logStream": "111111111111_CloudTrail_us-east-1",
"subscriptionFilters": [
"RecipientStream"
],
"messageType": "DATA_MESSAGE",
"logEvents": [
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
},
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
},
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
}
]
}
参考(再掲): https://docs.aws.amazon.com/ja_jp/AmazonCloudWatch/latest/logs/ValidateLogEventFlow.html
というわけで、
$ cat json
{
"owner": "111111111111",
"logGroup": "CloudTrail",
"logStream": "111111111111_CloudTrail_us-east-1",
"subscriptionFilters": [
"RecipientStream"
],
"messageType": "DATA_MESSAGE",
"logEvents": [
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
},
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
},
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
}
]
}
$ cat json | gzip | base64
H4sIAG/axloAA+1S3WqDMBi99ylKru2If2nSO9lcGawwqozBMsTVUAJqJIkbRXz3JdY510cY+64C5+c75yO9szIDxGfDJNiugLcY4F7ASpx2UnStxW8r0ZWZLHi1QFMtWVFfy/Mfbt6pNSuUXs+eqntXR8lbzUVzzyvNpDL61xEcCQd25C1njZ7MR+RtUtdMqeLEsnPL7Na7OIvzfZKm8S5ZxEo+jPy3bT+/RhIvrTzwSBR4ECGICEIEB8EGY0igH8ENwTD0TZkw8DFBXhT6oU+Sl3j/9Pi9anbT3OTSRW0PNQp8hKMIQnjFm9Lb1T0FzKZ8Nv3NJSjYUuDdwIACl4JOMflQGpTrs0EMV5vCI+cghKZgALPx4P53/BMdL//cGZwvGEA5spoDAAA=
これを引数のdata
のvalueに突っ込んだら、Lambdaのテストができる。
{
"awslogs": {
"data": "H4sIAG/axloAA+1S3WqDMBi99ylKru2If2nSO9lcGawwqozBMsTVUAJqJIkbRXz3JdY510cY+64C5+c75yO9szIDxGfDJNiugLcY4F7ASpx2UnStxW8r0ZWZLHi1QFMtWVFfy/Mfbt6pNSuUXs+eqntXR8lbzUVzzyvNpDL61xEcCQd25C1njZ7MR+RtUtdMqeLEsnPL7Na7OIvzfZKm8S5ZxEo+jPy3bT+/RhIvrTzwSBR4ECGICEIEB8EGY0igH8ENwTD0TZkw8DFBXhT6oU+Sl3j/9Pi9anbT3OTSRW0PNQp8hKMIQnjFm9Lb1T0FzKZ8Nv3NJSjYUuDdwIACl4JOMflQGpTrs0EMV5vCI+cghKZgALPx4P53/BMdL//cGZwvGEA5spoDAAA="
}
}
試しにdecodeしてみる。
$ echo -n "H4sIAG/axloAA+1S3WqDMBi99ylKru2If2nSO9lcGawwqozBMsTVUAJqJIkbRXz3JdY510cY+64C5+c75yO9szIDxGfDJNiugLcY4F7ASpx2UnStxW8r0ZWZLHi1QFMtWVFfy/Mfbt6pNSuUXs+eqntXR8lbzUVzzyvNpDL61xEcCQd25C1njZ7MR+RtUtdMqeLEsnPL7Na7OIvzfZKm8S5ZxEo+jPy3bT+/RhIvrTzwSBR4ECGICEIEB8EGY0igH8ENwTD0TZkw8DFBXhT6oU+Sl3j/9Pi9anbT3OTSRW0PNQp8hKMIQnjFm9Lb1T0FzKZ8Nv3NJSjYUuDdwIACl4JOMflQGpTrs0EMV5vCI+cghKZgALPx4P53/BMdL//cGZwvGEA5spoDAAA=" | base64 -D | zcat
{
"owner": "111111111111",
"logGroup": "CloudTrail",
"logStream": "111111111111_CloudTrail_us-east-1",
"subscriptionFilters": [
"RecipientStream"
],
"messageType": "DATA_MESSAGE",
"logEvents": [
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
},
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
},
{
"id": "3195310660696698337880902507980421114328961542429EXAMPLE",
"timestamp": 1432826855000,
"message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
}
]
}
OK。
ちなみにBSD系(Macとか)はbase64
のデコードのオプションが-D
で、GNU系は-d
の模様。
多分Kinesisとかも同じ。
参考(再掲含む):