All posts
ConceptsOctober 16, 20251 min read

Lnav CloudTrail Query Runbooks

The CloudTrail logs waited, heavy with detail and patterns you couldn’t see yet. You open Lnav, and now the hunt begins. Lnav CloudTrail Query Runbooks are the fastest way to move from raw AWS event data to clear, actionable intelligence. CloudTrail records every API call in your AWS account, but without a framework for running precise queries, it’s just a pile of JSON lines. Lnav solves this with interactive log navigation, advanced search, and real-time filtering. Runbooks give you repeatable

Free White Paper

AWS CloudTrail + Database Query Logging: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The CloudTrail logs waited, heavy with detail and patterns you couldn’t see yet. You open Lnav, and now the hunt begins.

Lnav CloudTrail Query Runbooks are the fastest way to move from raw AWS event data to clear, actionable intelligence. CloudTrail records every API call in your AWS account, but without a framework for running precise queries, it’s just a pile of JSON lines. Lnav solves this with interactive log navigation, advanced search, and real-time filtering. Runbooks give you repeatable workflows for turning queries into decisions.

Why Lnav for CloudTrail

  • Instant context: Lnav combines multiple logs, parses timestamps, and aligns events so investigations move fast.
  • SQL power: Query CloudTrail directly with SQLite syntax inside Lnav. No export step, no external database.
  • Replayable workflows: Save queries as runbooks. When the same problem returns, the fix is ready.

Core Queries for CloudTrail in Lnav

  • Find all failed AssumeRole attempts.
  • List every access from outside known IP ranges.
  • Track S3 object deletions by IAM user.
  • Detect new security group openings in real time.

Each query can run in seconds against locally loaded CloudTrail logs. Lnav’s syntax highlighting and timeline view make anomalies stand out without extra tooling. Combine filters and pivots to get precise answers before incidents spread.

Continue reading? Get the full guide.

AWS CloudTrail + Database Query Logging: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Building Query Runbooks

  1. Define the event type. Narrow to critical actions—logins, policy changes, key rotation.
  2. Write the SQL query. Use Lnav’s log table format. Map JSON keys directly.
  3. Test and verify. Run against multiple CloudTrail datasets.
  4. Save in the runbook file. Add comments for context.
  5. Execute on demand. Keep the runbook with your operational tooling.

The real advantage: once you write a query runbook in Lnav for CloudTrail, you can hand it to anyone on the team and know they’ll get the same results. No fragile scripts, no dependency chains.

Complex AWS environments demand clarity. Lnav, paired with structured CloudTrail query runbooks, delivers it straight and unbroken.

See exactly how these runbooks work, connect them to live CloudTrail logs, and get results in minutes—head to hoop.dev and watch it happen.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts