Only 1 alert is generated for similar events

Hello,

I set up AWS CloudTrail. I had multiple events (example s3 put/delete/ etc) but only received one email alert for one event around the same timeframe. Can’t figure out why other emails are not being received.

dear @cloudtrail

you might want to be a little more verbose about your environment - the configuration you have. Because without that helping you is guessing about reasons.

Jan

Hi @jan Thank you for the response. I will try to be as detailed as possible below:

  1. I set up GrayLog which indexes logs from AWS CloudTrail events (under AWS Organizations) for ALL child accounts.
  2. I set up an “Event Definitions” for ec2 events as well as dashboard for the event using the SAME query/stream.
  3. The dashboard shows the events ~100 events counts in 1 day but i received only around 5/6 email notifications for ec2 events on my email.
  4. For notification setup, aggregation the “group by field” is not set and it creates event for definition if count() event_name is >= to threshold 1. So Base don this I should be receiving multiple email alerts. Search is within the last 1 5minutes and search query is also for every 15 minutes. The UI shows alerts in the filter preview as well.

Below is email body template:

### [[ EVENT DEFINITION ]] ###
Title::: {event_definition_title}** **Description: {event_definition_description}
Action::: Check with Team/L2 for now

### [[ EVENT DETAILS ]] ###
{if backlog}{foreach backlog message}{message.fields.timestamp}** **AccountName::: {message.fields.AccountName}
event_name::: {message.fields.event_name}** **event_source::: {message.fields.event_source}
user_name::: {message.fields.user_name}** **user_principal_arn::: {message.fields.user_principal_arn}
aws_region::: {message.fields.aws_region}** **user_access_key_id::: {message.fields.user_access_key_id}
user_account_id::: {message.fields.user_account_id}** **source_address::: {message.fields.source_address}
errorMessage::: ${message.fields.errorMessage}

### [[ COMPLETE MESSAGE ]] ###
${message.fields.full_message}

## For debugging ##
{message.fields}** **{end}
{else}<No backlog>** **{end}

Hope this helps!