Sign in Subscribe
Concepts

Lnav CloudTrail Query Runbooks

Andrios Robert

1 min read

The CloudTrail logs waited, heavy with detail and patterns you couldn’t see yet. You open Lnav, and now the hunt begins.

Lnav CloudTrail Query Runbooks are the fastest way to move from raw AWS event data to clear, actionable intelligence. CloudTrail records every API call in your AWS account, but without a framework for running precise queries, it’s just a pile of JSON lines. Lnav solves this with interactive log navigation, advanced search, and real-time filtering. Runbooks give you repeatable workflows for turning queries into decisions.

Why Lnav for CloudTrail

  • Instant context: Lnav combines multiple logs, parses timestamps, and aligns events so investigations move fast.
  • SQL power: Query CloudTrail directly with SQLite syntax inside Lnav. No export step, no external database.
  • Replayable workflows: Save queries as runbooks. When the same problem returns, the fix is ready.

Core Queries for CloudTrail in Lnav

  • Find all failed AssumeRole attempts.
  • List every access from outside known IP ranges.
  • Track S3 object deletions by IAM user.
  • Detect new security group openings in real time.

Each query can run in seconds against locally loaded CloudTrail logs. Lnav’s syntax highlighting and timeline view make anomalies stand out without extra tooling. Combine filters and pivots to get precise answers before incidents spread.

Building Query Runbooks

  1. Define the event type. Narrow to critical actions—logins, policy changes, key rotation.
  2. Write the SQL query. Use Lnav’s log table format. Map JSON keys directly.
  3. Test and verify. Run against multiple CloudTrail datasets.
  4. Save in the runbook file. Add comments for context.
  5. Execute on demand. Keep the runbook with your operational tooling.

The real advantage: once you write a query runbook in Lnav for CloudTrail, you can hand it to anyone on the team and know they’ll get the same results. No fragile scripts, no dependency chains.

Complex AWS environments demand clarity. Lnav, paired with structured CloudTrail query runbooks, delivers it straight and unbroken.

See exactly how these runbooks work, connect them to live CloudTrail logs, and get results in minutes—head to hoop.dev and watch it happen.