· 7 years ago · May 13, 2018, 03:26 AM
1import-module awspowershell
2
3Set-DefaultAWSRegion -Region us-west-1
4
5# here, we use implicit credentials, so there's no $credentials
6set-awscredentials -accesskey youraccesskey -secretkey yoursecretkey
7
8# Get the current timestamp
9$Current_Unix_Timestamp = [Math]::Floor([decimal](Get-Date(Get-Date).ToUniversalTime()-uformat "%s")) * 1000
10
11# Get the timestamp to start at.
12$hours_to_look_back = 72
13$Past_Unix_Timestamp = [Math]::Floor([decimal](Get-Date((Get-Date).AddHours(-1*$hours_to_look_back)).ToUniversalTime()-uformat "%s")) * 1000
14
15# Get a list of all of our CloudWatch log groups
16$All_CW_RDS_Logs = get-CWLLogGroup -LogGroupNamePrefix "/aws/rds" | where {$_.LogGroupName -like "*/myprefix-*"}
17
18foreach ($Specific_CW_Log_Group in $All_CW_RDS_Logs) {
19write-host $Specific_CW_Log_Group.LogGroupName
20
21$CW_NextToken = $null # reset for each log group. Required for NextToken to work
22
23#Using $null for NextToken means we can use the same pattern as for regular logs
24#NOTE: this hangs if the FilterPattern is invalid. Which apparently includes commas, backslashes, etc.
25
26#$CW_Results =
27DO {
28#write-host "CWToken $CW_NextToken"
29
30$CW_RDS =
31Get-CWLFilteredLogEvent `
32-LogGroupName $Specific_CW_Log_Group.LogGroupName `
33-StartTime $Past_Unix_Timestamp `
34-EndTime $Current_Unix_Timestamp `
35-FilterPattern "QUERY" `
36-Limit 2000 `
37-NextToken $CW_NextToken
38#FilterPattern can't use commas. ",QUERY," should show all create/truncate/drop, but we use QUERY instead
39
40#unlike the regular logs, this one returns a normal powershell dataset - no need to parse it out, just query events
41$CW_RDS.Events
42
43$CW_NextToken = $CW_RDS.NextToken
44}WHILE ($CW_NextToken -ne $null)
45
46}