In my previous post, I provided an example on how customers can take advantage of Log Intelligence's Webhook capability to consume VMware Cloud on AWS (VMC) based events and extend that to other Public Cloud Services like Slack as an example to build new and interesting integrations. We took advantage of the fact that some of these Public Cloud Services either have native webhook support or have a built-in Webhook listener like IFTTT which in turn can support other services which may not have native Webhook support.

However, customers can also build their own Webhook listener, which is nothing more than being able to POST to an API endpoint with a pre-defined JSON payload. In fact, this would be needed for any on-premises integration if the solution does not support webhooks.

For VMC customers who currently consume AWS Services such as Lambda and CloudWatch, it is actually very easy to integrate these and other AWS Services directly using LINT's Webhook feature. In fact, I chose Lambda and CloudWatch as these are two of the mostly frequently asked integration points. At our recent VMC Customer Summit, which took place last month, I had built a demo based on an actual customer use case for sending specific VMC Events from LINT to Cloud Watch as that was their tool of choice for auditing purpose.

I decided to make use of Lambda as it allowed me to quickly integrate with CloudWatch and I could also show how lambda integration would work given the number of customers asking. Ultimately, Lambda also enabled me to easily build a Webhook listener to process the LINT Webhook by simply front-ending the Lambda function with an AWS API Gateway, which was super easy to setup and use.

The remainder of this article will outline the instructions for setting up this integration between LINT and AWS.

AWS Lambda

Step 1 - Login to the AWS Console and create a new Lambda function and provide a name, runtime (Python 3.7 in our example) and an execution role (Create a new role in our example).



Step 2 - Copy the following code snippet into the function as shown in the screenshot below and then click on the Save button.

import json import logging logger = logging.getLogger() logger.setLevel(logging.INFO) def lambda_handler(event, context): body = json.loads(event['body']) source=body['source'] payload=body['payload'] datetime=body['datetime'] logging.info("SOURCE: " + json.dumps(source)) logging.info("PAYLOAD: " + json.dumps(payload)) logging.info("DATETIME: " + json.dumps(datetime)) return { 'statusCode': 200, 'body': json.dumps({'Messsage':'Successfully received Webhook from VMC'}) } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 import json import logging logger = logging . getLogger ( ) logger . setLevel ( logging . INFO ) def lambda_handler ( event , context ) : body = json . loads ( event [ 'body' ] ) source = body [ 'source' ] payload = body [ 'payload' ] datetime = body [ 'datetime' ] logging . info ( "SOURCE: " + json . dumps ( source ) ) logging . info ( "PAYLOAD: " + json . dumps ( payload ) ) logging . info ( "DATETIME: " + json . dumps ( datetime ) ) return { 'statusCode' : 200 , 'body' : json . dumps ( { 'Messsage' : 'Successfully received Webhook from VMC' } ) }

In the example above, we are defining what the Webhook payload JSON structure should look like. This is just an example, you can literally define this however you like as long as you match the structure when configuring the LINT payload.

{ "source": "INSERT DATA", "payload": "INSERT DATA", "datetime": "INSERT DATA" } 1 2 3 4 5 { "source" : "INSERT DATA" , "payload" : "INSERT DATA" , "datetime" : "INSERT DATA" }



Step 3 - Add an API Gateway trigger which will allow us to access our Lambda function over HTTP. Next, we will configure the trigger to create a new API and configure the security access policy.



In this example, I will be using Open for demonstration purposes but you have the option of using AWS IAM or API Key for authorization. Once you are finished, click on the Add button and then Save.



Step 4 - Next, we create our API method by selecting Actions->Create Method and selecting the POST operation.



We then associate our Lambda function in the next section and make sure you select "Use Lambda Proxy integration" and specify the name of your function as shown in the screenshot below. At this point, our Lambda function is ready to be called by our LINT Webhook!



Step 5 - The last thing we need is to retrieve the API endpoint for our Lambda function. To do so, simply click on API Gateway Icon and at the bottom and make a note of the URL which we will need in configuring LINT.

Log Intelligence

Step 1 - Log into the LINT Service and then head over to Configuration->Webhook Configuration and create a new Webhook with the API Gateway URL from the previous step.



For the Webhook payload, copy the following snippet which matches the structure that had defined in our Lambda function and click Save.

{ "source": "VMC", "payload": "${additionalInfo}", "datetime": "${triggeredAt}" } 1 2 3 4 5 { "source" : "VMC" , "payload" : "${additionalInfo}" , "datetime" : "${triggeredAt}" }

Note: Remember, LINT allows you to define the payload and if you decided to change or add more information, you simply need to ensure your Lambda function is updated to handle the updated structure.

Before consuming the webhook as part of a LINT alert notification in LINT, we can test the webook by simply clicking "Send Test". You should see a message stating it was successfully sent.

Step 2 - Lets now verify that our Lamda function has been executed and the "Test" payload has made its way into AWS CloudWatch. Return to AWS Console and go to the Lamda function you had created. Click on Monitoring tab and select "View logs in CloudWatch"



It may take a minute or two before the log data shows up, so you can refresh and you should eventually see something like the following:



As you can see in the output, it matches the structure we had defined by printing out the SOURCE, PALOAD and DATETIME strings and their respective values within the CloudWatch logs. You obviously can refine the output structure however you wish, but this should give you an idea of what the data would look like.

Step 3 - Now that we have verified our Lamda function is processing the LINT Webhook correctly, the last thing to do is to update our "VMC Login Event" alert definition (see this article here for how to set this up) to use our new Lamda function Webhook. Navigate to Alerts->Alert Definitions and then the alert you have defined and edit the Notification to use the new Webhook definition that you had created in Step 1.



Here is a screenshot of what the login event payload actually looks like as part of processing our Lambda function and storing that into CloudWatch.