I'm looking to setup alarms based on thresholds of particular log events, such as "failed logins". I have an Insight query that returns all my log entries I'm interested in. Is there a way I can setup metrics and alarms based on Insight queries? I found an editor to do this in Metrics but unable to save it, and can't select my log groups. I feel like I'm missing something. Thanks!
My example Insights query here:
fields @timestamp, @message | filter @message LIKE "User login failed" | parse @message "* * [*] *" as date, level, object, message | sort @timestamp desc
I tried adding this query to the editor in Metrics but it won't save.
You can create a metric filter for your log group and then configure an alarm based on the metric filter -
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Create_alarm_log_group_metric_filter.html