Topics on this page
Do not depend on logs in your downstream workflow. Logs are subject to change without prior notice. Use ScanResultTopic instead. If there is any necessary information that only exists in logs, please contact support with a feature request.
View scan results in CloudWatch
To view the scan result logs in CloudWatch Logs:
- In AWS, go to CloudFormation > your scanner stack > Resources > ScannerLogGroup link. The CloudWatch service appears with Log groups selected on the left.
- Under Log streams, select a log stream with a Last event time that is later than or equal to the time when you added the file to the S3 bucket to scan.
- Expand the event message that starts with
scanner result:and reference the scan result format.
Search for scan results in CloudWatch
You can search for scan results using AWS CloudWatch Logs Insights. Below is an example of how to set up a query.
- In AWS, go to the CloudWatch service.
- On the left, under Logs, select Insights.
In the main pane, select inside the Select log group(s) field, and enter
ScannerLambdainto the search box. Select the File Storage Security log group. It looks similar to:
Replace the contents of the text box with the following lines:
fields @timestamp, @message | filter @message like "scanner result" | sort @timestamp desc | limit 20
This query finds all scan results, up to a maximum of 20.
Set the time or date range using the available buttons.
Select Run query. A list of messages containing scan results appears.
If you were expecting results and don't see them, try setting a broader time or date range.
Expand a message to view the scan results. For help on understanding the scan results, see View scan results in CloudWatch.
Monitor for malicious files using CloudWatch
You can monitor your system for malicious files using AWS CloudWatch Logs Insights.
Here is an example of a script that searches for logs generated by the ScannerLambda function when it finds malicious files:
fields @timestamp, @message, ispresent(scanning_result.Findings.0.malware) as infected, scanning_result.Findings.0.malware as malware, file_url | filter @message like "scanner result" | sort @timestamp desc | display @timestamp, scanner_status_message, infected, malware, file_url | limit 20
After creating the query, you can save it and re-run it periodically to monitor for malicious files.
If you don't want to set up a query in CloudWatch, you can instead create a Lambda function to send you an email when a malicious file is found.