No output location supplied. An output location is required both by way of the Workgroup consequence configuration setting or as an API enter. | by Teri Radichel | Bugs That Chunk | Aug, 2022

August 5, 2022

1

Athena + CloudTrail. What occurred?

I bear in mind utilizing Athena for CloudTrail earlier than. It had some examples to get you began I believed it was actually easy, however I haven’t checked out it shortly. I may return and evaluation my class labs. However I’m in a rush. So I simply return to it, create a desk, and get this error.

No output location supplied. An output location is required both by way of the Workgroup consequence configuration setting or as an API enter.

HUH?

So I seek for the error and I come to a bunch of documentation. Huh? I click on the hyperlinks and Huh? once more?

What is that this location factor?

So I seek for Athena + CloudTrail and I get this:

After I create the Athena desk I now need to run this? What? Why?

So I’ve to go discover my bucket identify, account Id, the area and a few date? What date am I supposed to make use of?

I simply wish to question my CloudTrail logs not work out Athena partitions. Can’t you restore the best way it labored earlier than and make it simpler for the top consumer to question their logs? Perhaps the situation factor was there however the question to create the desk included it so I didn’t need to determine it out.

And why on this planet can I simply not filter the logs on issues like function identify proper from the principle CloudTrail dashboard? That appears so apparent.

So apparently that is supposed to clarify it:

To investigate knowledge from a number of accounts, you possibly can roll again the LOCATION specifier to point all AWSLogs through the use of LOCATION 's3://MyLogFiles/AWSLogs/'.
To investigate knowledge from a selected date, account, and Area, use LOCATION 's3://MyLogFiles/123456789012/CloudTrail/us-east-1/2016/03/14/'.

Kind a selected date. Why do I’ve to specify a date in any respect? Why can’t I simply question my knowledge?

What does this even imply?

Utilizing the very best degree within the object hierarchy provides you the best flexibility if you question utilizing Athena.

What’s the highest degree within the object hierarchy? Wouldn’t that be s3:// ?

Creating the desk for CloudTrail logs in Athena utilizing partition projection

Partition projection?? I’m only a safety particular person that desires to determine what a task did in CloudTrail logs. English please?

Partition projection robotically provides new partitions as new knowledge is added. This removes the necessity so that you can manually add partitions through the use of ALTER TABLE ADD PARTITION.

Um, okay I suppose. If I don’t need to run that alter assertion above with a date I don’t know what to set to that’s nice, however what does this even imply?

Wait, create desk? I simply created a desk. Shouldn’t you will have informed me this earlier than I created that different desk? Do I’ve to drop that different desk now? Am I paying for that and now I have to drop it and add a brand new one (I suppose?)

After which there’s all this on the finish. There’s that date once more. I suppose it’s how far I wish to question again. I suppose I’ll simply attempt to stick my values in and run this assertion and see what occurs.

For extra details about partition projection, see Partition projection with Amazon Athena.

However I don’t wish to study explicit projection with Amazon Athena. I simply wish to see what actions my function took so I can create a zero-trust IAM coverage.

Are you able to please simply do all that stuff for me and let me specify a date (if I have to — I’d relatively not) and do all this partition stuff behind the scenes. Individuals querying logs mustn’t should be database consultants or knowledge scientists for a question so simple as the one I wish to run.

Let me see what a task did.
Let me question to search out out who assumed a task.
Let me question all of the failed error messages.
Let me filter out issues I don’t wish to see.
Let me question on any phrase in a request with a textual content search of the requests by coming into a phrase in a textual content field.
Make it easy.

Effectively, the alter assertion didn’t work.

I discovered it by guessing. First I clicked throughout Glue and couldn’t discover the setting. Then I went again to Athena and clicked on WorkGroup and in all places. Lastly I navigated into my CloudTrail desk and clicked Settings.

Then Handle.

Browsed to pick out and S3 bucket. Clicked Save.

Then my question labored. Effectively, I received a syntax error.

However now I’m getting this error:

Permission denied on S3 path: s3://aws-controltower-logs-xxxxxxxxx-xxxxxx/CloudTrail. This question ran towards the “default” database, except certified by the question.

What? I attempted to place what I believed was the database identify in entrance of the desk identify and that didn’t work. Looks like this needs to be simpler.

However maybe the database identify is a crimson herring. I can’t see the S3 bucket, I’m guessing as a result of it was arrange by ControlTower. If I’m allowed to question the logs as an admin in CloudTrail why can not I not use Athena and entry the S3 bucket?

I prefer it if you supplied the pattern queries higher and this simply labored.

Azure does even higher. Whenever you’ve received a question created by clicking issues within the console and coming into phrases in textual content containers to filter knowledge, it permits you to export the question to their question device the place it can save you it or use it as a place to begin for a good additional personalized question.

#awswishlist

Teri Radichel

If you happen to preferred this story please clap and observe:

Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis