AWS AmazonCloudWatch documentation change
Summary
Clarified that original log events are stored in '@original_message' system field when 'include_original' is enabled.
Security assessment
Improves audit/compliance documentation by specifying exact field name for original logs. Enhances security forensics capabilities but doesn't fix vulnerabilities.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/pipeline-sinks.md b/AmazonCloudWatch/latest/monitoring/pipeline-sinks.md index 386591326..b9083a06e 100644 --- a//AmazonCloudWatch/latest/monitoring/pipeline-sinks.md +++ b//AmazonCloudWatch/latest/monitoring/pipeline-sinks.md @@ -47 +47 @@ The name of the CloudWatch Logs log group where processed events will be sent. F -When present, stores a copy of each raw log event before any transformation takes place. This preserves the original data for audit or compliance purposes. Specify as an empty object (`{}`). Available only for pipelines with `cloudwatch_logs` sources. At least one processor must be configured when this option is enabled. +When present, stores a copy of each raw log event before any transformation takes place in the `@original_message` system field of the event. This preserves the original data for audit or compliance purposes. Specify as an empty object (`{}`). Available only for pipelines with `cloudwatch_logs` sources. At least one processor must be configured when this option is enabled. @@ -94 +94 @@ For pipelines using the `cloudwatch_logs` source type: - * Pipelines with processors mutate the log events in the original CloudWatch log group they are intercepted from for logs from AWS services. To preserve the original data, enable `include_original` in the sink configuration. + * Pipelines with processors mutate the log events in the original CloudWatch log group they are intercepted from for logs from AWS services. To preserve the original data, enable `include_original` in the sink configuration. The original log copy is stored in the `@original_message` system field of the event.