Home / Rust / Filesystem

Mount AWS CloudWatch logs as a file system

cwl-mount Mount AWS CloudWatch logs as a file system. Key Features • How To Use • Installation • Credits • License cwl-mount mounts an AWS CloudWatch
Information
Category: Rust / Filesystem
Watchers: 1
Star: 29
Fork: 0
Last update: Dec 21, 2021
Resource links
https://github.com/asimihsan/cwl-mount

cwl-mount

Mount AWS CloudWatch logs as a file system.

Key FeaturesHow To UseInstallationCreditsLicense

cwl-mount mounts an AWS CloudWatch Logs log group as a file system. This lets you use everyday utilities like cat, grep, and shell globbing and query your logs.

screenshot

What problem does cwl-mount solve

AWS CloudWatch Logs Insights is powerful but only returns a maximum of 10,000 results with no option to paginate results [1]. AWS CloudWatch Logs lets you filter logs but does not allow you to show logs before and after matches. You can export CloudWatch logs to S3 but this can take up to 12 hours [3]. You can stream your CloudWatch Logs to another data store but will pay for the streaming out and extra infrastructure [4].

Filling in the gap, cwl-mount has no upper limit on the number of logs you can search over, allows you to run grep -C to search with context, can be used immediately, and does not require additional infrastructure.

[1] https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_StartQuery.html#API_StartQuery_RequestSyntax

[2] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html

[3] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html

[4] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html

Key Features

  • Access CloudWatch logs as if they are files. Use cat on certain time ranges, grep --context, etc.
  • Query latest logs instantaneouly; don't wait for S3 exports or transferring to a stream.
  • Cross platform
    • Natively supports Linux and Mac OS X.
    • Run on Windows via a Docker container.

How To Use

You need IAM credentials for a IAM user or IAM role that can call logs:FilterLogEvents and logs:DescribeLogGroups.

Natively on Linux and Mac OS X

In one Terminal tab:

mkdir /tmp/foo
cwl-mount --region us-west-2 --log-group-name babynames-preprod-log-group-syslog /tmp/foo

In a second tab:

➜  ~ ls -l /tmp/foo

total 0
drwxrwxrwx  2 asimi  staff  0 Dec 31  1969 2021

➜  ~ ls -l /tmp/foo/2021/12/04/00-{00,01,02,03,04,05}
-rwxrwxrwx  1 asimi  staff  2147483647 Dec 31  1969 /tmp/foo/2021/12/04/00-00
-rwxrwxrwx  1 asimi  staff  2147483647 Dec 31  1969 /tmp/foo/2021/12/04/00-01
-rwxrwxrwx  1 asimi  staff  2147483647 Dec 31  1969 /tmp/foo/2021/12/04/00-02
-rwxrwxrwx  1 asimi  staff  2147483647 Dec 31  1969 /tmp/foo/2021/12/04/00-03
-rwxrwxrwx  1 asimi  staff  2147483647 Dec 31  1969 /tmp/foo/2021/12/04/00-04
-rwxrwxrwx  1 asimi  staff  2147483647 Dec 31  1969 /tmp/foo/2021/12/04/00-05

➜  ~ cat /tmp/foo/2021/12/04/00-{00,01,02,03,04,05}
[i-03e71e7954a899acb] Dec  4 00:00:07 ip-10-0-0-62 systemd[1]: Starting Rotate log files...
[i-03e71e7954a899acb] Dec  4 00:00:07 ip-10-0-0-62 systemd[1]: Starting Daily man-db regeneration...
[i-03e71e7954a899acb] Dec  4 00:00:07 ip-10-0-0-62 systemd[1]: logrotate.service: Succeeded.
[i-03e71e7954a899acb] Dec  4 00:00:07 ip-10-0-0-62 systemd[1]: Finished Rotate log files.
[i-03e71e7954a899acb] Dec  4 00:00:07 ip-10-0-0-62 systemd[1]: man-db.service: Succeeded.
[i-03e71e7954a899acb] Dec  4 00:00:07 ip-10-0-0-62 systemd[1]: Finished Daily man-db regeneration.[i-03e71e7954a899acb] Dec  4 00:03:01 ip-10-0-0-62 CRON[40987]: (root) CMD (/bin/sleep $[ ( $RANDOM % 3000 ) + 1 ]s; rm -f /var/log/awsagent-update.log; umask 037 && /opt/aws/awsagent/bin/update > /var/log/awsagent-update.log 2>&1)%

Docker, for any OS

Since cwl-mount requires FUSE it will not work out of the box on Windows. You can instead use a Docker container:

docker run \
    --privileged \
    --interactive \
    --tty \
    --env-file $HOME/.aws_kitten_cat_credentials_docker \
    public.ecr.aws/b5u6b4p0/cwl-mount:latest

The contents of env-file are some IAM role credentials that have access to logs:FilterLogEvents and logs:DescribeLogGroups, and look like:

AWS_ACCESS_KEY_ID=ABCDE
AWS_SECRET_ACCESS_KEY=fghij
AWS_REGION=us-west-2

Usage help

Usage help:

cwl-mount 0.1.1

USAGE:
    cwl-mount [FLAGS] [OPTIONS] <mount-point> --log-group-name <log-group-name>

FLAGS:
        --allow-root    Allow root user to access filesystem
    -h, --help          Prints help information
    -V, --version       Prints version information
    -v, --verbose       Verbose output. Set three times for maximum verbosity.

OPTIONS:
        --log-group-name <log-group-name>    CloudWatch Logs log group name
        --region <region>                    AWS region, e.g. 'us-west-2'

ARGS:
    <mount-point>    Act as a client, and mount FUSE at given path

Troubleshooting

If you get an error about the directory already being mounted, try umount /tmp/foo first.

I recommend always passing in the AWS region in --region, even if you have the AWS_REGION environment variable set, otherwise STS temporary credentials may not work.

Installation

Linux with RPM:

wget https://github.com/asimihsan/cwl-mount/releases/download/v0.1.1/cwl-mount-0.1.1-1-x86_64.rpm
yum localinstall cwl-mount-0.1.1-1-x86_64.rpm
cwl-mount --help

Linux with DEB:

wget https://github.com/asimihsan/cwl-mount/releases/download/v0.1.1/cwl-mount-0.1.1-1-x86_64.deb
apt -y install gdebi
gdebi cwl-mount-0.1.1-1-x86_64.deb
cwl-mount --help

Mac:

# If this is the first time you've installed macfuse, you will need to restart after this.
brew install macfuse

mkdir $HOME/bin
wget https://github.com/asimihsan/cwl-mount/releases/download/v0.1.1/cwl-mount-0.1.1-darwin-x64_64.tar.gz
tar xvf cwl-mount-0.1.1-darwin-x64_64.tar.gz --directory $HOME/bin
$HOME/bin/cwl-mount --help

Credits

Maintainer instructions

./release.sh combines all the steps below in the correct order.

Building runnable Docker container and publishing it

docker build --squash . --file Dockerfile.runnable --tag cwl-mount:latest

source ~/.aws_kitten_cat_credentials
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/kittencat
docker tag cwl-mount:latest public.ecr.aws/kittencat/cwl-mount:latest
docker push public.ecr.aws/kittencat/cwl-mount:latest

To run it:

docker run \
    --privileged \
    --interactive \
    --tty \
    --env-file $HOME/.aws_kitten_cat_credentials_docker \
    cwl-mount:latest

The contents of env-file are some credentials like:

AWS_ACCESS_KEY_ID=ABCDE
AWS_SECRET_ACCESS_KEY=fghij
AWS_REGION=us-west-2

Building RPM

docker build . --file Dockerfile.amazonlinux2 --tag cwl-mount-al2:latest

docker run \
    --privileged \
    --interactive \
    --tty \
    --volume "$(pwd):/workspace" \
    --workdir /workspace \
    --env-file $HOME/.aws_kitten_cat_credentials_docker \
    cwl-mount-al2:latest ./build_rpm.sh

rmdir /tmp/foo ; mkdir /tmp/foo
docker run \
    --cap-add SYS_ADMIN \
    --device /dev/fuse \
    --privileged \
    --interactive \
    --tty \
    --volume "$(pwd):/workspace" \
    --volume "/tmp/foo:/tmp/foo" \
    --workdir /workspace \
    --env-file $HOME/.aws_kitten_cat_credentials_docker \
    public.ecr.aws/amazonlinux/amazonlinux:2 ./test_rpm.sh

Building DEB

docker build . --file Dockerfile.debian --tag cwl-mount-debian:latest

docker run \
    --privileged \
    --interactive \
    --tty \
    --volume "$(pwd):/workspace" \
    --workdir /workspace \
    --env-file $HOME/.aws_kitten_cat_credentials_docker \
    cwl-mount-debian:latest ./build_deb.sh

Building for Mac

./build_mac.sh

Recording a demo

See: https://terminalizer.com/docs

npm install -g terminalizer

[ ! -d $HOME/demo ] && mkdir $HOME/demo
cd $HOME/demo
terminalizer record demo

# inside the demo...

tmux
# ...

# when you're done
CTRL-D

terminalizer render demo

References

How to set up Rust actors

License

Apache License 2.0

0 Open More issues
Closed

Multiple log groups matching a pattern

I'd like to search logs for my Lambdas belonging to an API Gateway. Usually these come with a prefix (if created via CFN or similar). E.g. my-app-func1 or my-app-func2.

How about extending cwl-mount so that it takes a prefix and a mount point so that:

mkdir /tmp/foo
cwl-mount --region us-west-2 --log-group-prefix my-app /tmp/foo

results in all the log groups starting with prefix end up under the mount point?

enhancement 
opened Dec 12, 2021 by bracki 3
Closed

Installation error: `get_logs_to_display` argument mismatch

Got the following error when installing on MacOS 11.5.2 with ./build_mac.sh:

   Compiling cwl-mount v0.1.1 (/Users/cfrech/tools/cwl-mount/src/cli)
error[E0061]: this function takes 4 arguments but 3 arguments were supplied
   --> cli/src/main.rs:228:26
    |
228 |                         .get_logs_to_display(log_group_name, time_bounds.start_time, time_bounds.end_time)
    |                          ^^^^^^^^^^^^^^^^^^^ --------------  ----------------------  -------------------- supplied 3 arguments
    |                          |
    |                          expected 4 arguments
    |
note: associated function defined here
   --> /Users/cfrech/tools/cwl-mount/src/cwl-lib/src/lib.rs:467:18
    |
467 |     pub async fn get_logs_to_display(
    |                  ^^^^^^^^^^^^^^^^^^^

For more information about this error, try `rustc --explain E0061`.
error: could not compile `cwl-mount` due to previous error
bug 
opened Dec 14, 2021 by cfrech-ctx 2
Open

Bump thread_local from 1.1.3 to 1.1.4 in /src

Bumps thread_local from 1.1.3 to 1.1.4.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies 
opened Jun 16, 2022 by dependabot[bot] 0
Open

Bump regex from 1.5.4 to 1.5.5 in /src

Bumps regex from 1.5.4 to 1.5.5.

Changelog

Sourced from regex's changelog.

1.5.5 (2022-03-08)

This releases fixes a security bug in the regex compiler. This bug permits a vector for a denial-of-service attack in cases where the regex being compiled is untrusted. There are no known problems where the regex is itself trusted, including in cases of untrusted haystacks.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies 
opened Jun 6, 2022 by dependabot[bot] 0
Open

Bump crossbeam-utils from 0.8.5 to 0.8.8 in /src

Bumps crossbeam-utils from 0.8.5 to 0.8.8.

Release notes

Sourced from crossbeam-utils's releases.

crossbeam-utils 0.8.8

  • Fix a bug when unstable loom support is enabled. (#787)

crossbeam-utils 0.8.7

  • Add AtomicCell<{i*,u*}>::{fetch_max,fetch_min}. (#785)
  • Add AtomicCell<{i*,u*,bool}>::fetch_nand. (#785)
  • Fix unsoundness of AtomicCell<{i,u}64> arithmetics on 32-bit targets that support Atomic{I,U}64 (#781)

crossbeam-utils 0.8.6

  • Re-add AtomicCell<{i,u}64>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1 on targets that do not support Atomic{I,U}64. (#767)
  • Re-add AtomicCell<{i,u}128>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1. (#767)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies 
opened Jun 6, 2022 by dependabot[bot] 0
Open

Caching is too coarse

As a user I may be running on a memory-constrained system or have large volumes of logs. I may need to configure caching to either disable it or configure numbers of files to cache over.

Today we just blindly cache the last 60 files loaded.

bug 
opened Dec 18, 2021 by asimihsan 0
Open

Variable precision directories and filenames

As a user, I can specify what date and time precision with which to have directories and files exposed.

For example, I may want to have directories as YYYY/MM/DD/HH/MM/SS, and files as 100's of milliseconds. This is useful for systems that output high volumes of logs and where I already what 100th millisecond to find logs at.

For example, I may want to have directories as YYYY/MM/DD and files as HH. This is useful for systems that output low volumes of logs where I'm confident that grepping over multiple hours will be fast and I'm not sure where I'm looking.

enhancement 
opened Dec 18, 2021 by asimihsan 0
Open

Pseudo `latest` file to tail logs

As a user, I can use tail -f to monitor the latest logs for one or more CloudWatch Logs log groups. I can run the cwl-mount command once and new logs and new log groups are automatically included.

enhancement 
opened Dec 18, 2021 by asimihsan 0

Contents

    apex Send your AWS CloudWatch Logs to Apex Logs.
    pop-os sys-mount — High level abstraction for the mount / umount2 system calls.
    google FUSE file system for ZIP archives
    ashtonmeuser A simple live dashboard for CloudWatch metrics
    idealo Send CloudWatch Alarms to Microsoft Teams via an SNS topic.
    techjacker Exports systemd logs to an external service, eg cloudwatch, elasticsearch
    berzniz realtime logging for now - https://logs.now.sh
    tailhook libmount - The type-safe wrapper around mount system call
    JackBister Logsuck is a program that makes it easier for you to deal with your logs.
    nicolasdelfino A lightweight engine to animate dom elements as they mount or unmount
    Zlanee An open source top mount WKL Tkl
    carlosgaldino GotenksFS is a file system on top of your file system
    aws-samples This Cloudformation template autoremediates EKS cluster level logging using CloudWatch Event Rules and Lambda
    DenizParlak AWS Auditing & Hardening Tool
    lifadev Network I/O interface for AWS Lambda Go runtime.
    brandongalbraith An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet 😈
    OrenLeung AWS Tags As A Database (AWS TaaDb)🚀 is a Python 🐍 library using AWS Tags as a Key-Value database. This database is completely free* 💸
    KyleRoss Basic logging mechanism for Node 6.10+ Lambda Functions
    attakercyebr I have logs fresh victims from this country [ US , DE , BR , AR , NL , MY , IL , CZ , CA , TR , ...etc ] Count : 2600 logs victims device
    devops-israel AWS Inventory in a single HTML file using JS AWS-SDK & Bootstrap
    dertuxmalwieder Git clone of the RSS file system.
    Share this repo

    Related Repos


    Filesystem
    35
    Ninja-compatible build system for high-level programming languages written in Rust
    raviqqe Turtle Clone of the Ninja build system written in Rust Goals Safe (no unsafe) and fast implementation of the Ninja build system in Rust Frontend suppo
     
    Filesystem
    31
    Cover your tracks during Linux Exploitation by leaving zero traces on system logs and file...
    mufeedvh moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. 📖 Table o
     
    Filesystem
    29
    Mount AWS CloudWatch logs as a file system
    asimihsan cwl-mount Mount AWS CloudWatch logs as a file system. Key Features • How To Use • Installation • Credits • License cwl-mount mounts an AWS CloudWatch
     
    Filesystem
    32
    A POSIX select I/O Multiplexing Rust library.
    b23r0 select-rs A POSIX select I/O Multiplexing Rust library. Get started # Cargo.toml [dependencies] select-rs = "0.1.2" Example use select_rs::*; fn main
     
    Filesystem
    3
    Systemd services for checking for and applying system updates.
    pop-os Pop System Updater Systemd services for checking for and applying system updates. License Licensed under the GNU General Public License v3.0. Contribu
     
    Filesystem
    10
    A high level language for SELinux policy
    dburgener Introduction Cascade is a project to build a new high level language for defining SELinux policy. The overall structure of the language is essentially
     
    Filesystem
    4
    A collection of compilers based around compiling a high level language to a Brainfuck dial...
    adam-mcdaniel tf A collection of compilers based around compiling a high level language to a Brainfuck dialect. Built at, and for, the VolHacks V hackathon during O
     
    Filesystem
    4
    LaaS: Life as a Service
    brundonsmith LaaS: Life as a Service $ curl life-as-a-service.herokuapp.com/-1x0~0x0~1x0 0x-1~0x0~0x1 let previous = '0x-1~0x0~0x1' for (let i = 0; i < 5; i++) {
     
    Filesystem
    4
    A simple batch file classer
    Eolien55 FileClassed Efficient, lightweight, configurable file organizer. This project is very simple : it takes a file in certains directories (that can be co
     
    Filesystem
    28
    [WORKING PROTOTYPE] Generate QR code easily for free - QR Code Generation as a Service
    sayanarijit QRcode.show Generate QR code easily for free - QR Code Generation as a Service INPUT: $ curl qrcode.show/INPUT $ curl qrcode.show -d INPUT
     
    Filesystem
    126
    the file filesystem: mount semi-structured data (like JSON) as a Unix filesystem
    mgree ffs, the file filessytem, let's you mount semi-structured data as a fileystem---a tree structure you already know how to work with!
     
    Filesystem
    31
    Rustypaste is a minimal file upload/pastebin service.
    orhun Rustypaste is a minimal file upload/pastebin service.
     
    Filesystem
    27
    Nova: Recursive SNARKs without trusted setup
    microsoft Nova: Recursive SNARKs without trusted setup Nova is a high-speed recursive SNARK (a SNARK is type cryptographic proof system that enables a prover to
     
    Filesystem
    28
    RDFM - The Rusty DotFiles Manager
    Wafelack RDFM is the Rusty DotFiles Manager, based on a homemade linking system and configured by a simple file ; it is intended for everyone who needs an easy and reliable way to manage and share dotfiles.
     
    Filesystem
    22
    A free and open source replay system for Microsoft Flight Simulator
    saltysimulations About SaltyReplay is a free and open source replay system for Microsoft Flight Simulator. Because replays are one of the most requested features for M