AWS CloudWatch

Do not depend on logs in your downstream workflow. Logs are subject to change without prior notice. Use ScanResultTopic instead. If there is any necessary information that only exists in logs, please contact support with a feature request.

View scan results in CloudWatch

File Storage Security logs its scan results in AWS CloudWatch Logs. These logs contain a bit more information than what's available in the fss-* tags.

To view the scan result logs in CloudWatch Logs:

  1. In AWS, go to CloudFormation > your scanner stack > Resources > ScannerLogGroup link. The CloudWatch service appears with Log groups selected on the left.
  2. Under Log streams, select a log stream with a Last event time that is later than or equal to the time when you added the file to the S3 bucket to scan.
  3. Expand the event message that starts with scanner result: and reference the scan result format.

Search for scan results in CloudWatch

You can search for scan results using AWS CloudWatch Logs Insights. Below is an example of how to set up a query.

  1. In AWS, go to the CloudWatch service.
  2. On the left, under Logs, select Insights.
  3. In the main pane, select inside the Select log group(s) field, and enter ScannerLambda into the search box. Select the File Storage Security log group. It looks similar to:

    /aws/lambda/FileStorageSec-ScannerLambda-2R3P1J2HTVPU

  4. Replace the contents of the text box with the following lines:

    fields @timestamp, @message
    | filter @message like "scanner result"
    | sort @timestamp desc
    | limit 20
    

    This query finds all scan results, up to a maximum of 20.

  5. Set the time or date range using the available buttons.

  6. Select Run query. A list of messages containing scan results appears.

    If you were expecting results and don't see them, try setting a broader time or date range.

  7. Expand a message to view the scan results. For help on understanding the scan results, see View scan results in CloudWatch.

Monitor for malicious files using CloudWatch

You can monitor your system for malicious files using AWS CloudWatch Logs Insights.

Here is an example of a script that searches for logs generated by the ScannerLambda function when it finds malicious files:

fields @timestamp, @message, ispresent(scanning_result.Findings.0.malware) as infected, scanning_result.Findings.0.malware as malware, file_url
| filter @message like "scanner result"
| sort @timestamp desc
| display @timestamp, scanner_status_message, infected, malware, file_url
| limit 20

After creating the query, you can save it and re-run it periodically to monitor for malicious files.

screen shot

If you don't want to set up a query in CloudWatch, you can instead create a Lambda function to send you an email when a malicious file is found.