Metric Filter for CloudWatch Log Group: Apache Server HTTP Messages

Correct Answer : B.

Option A is incorrect because the condition “status_code = 4*” should be used to match the 4xx status code in the HTTP log events.

Option B is CORRECT because for space-delimited events, you can use shorthand notification using an ellipsis (…) for the fields that you do not care about.

This pattern “[..., status_code = 4*, bytes]” can check if the status code equals with 4xx.

Option C is incorrect because to parse space-delimited events, the metric filter pattern has to specify the fields with a name, separated by commas, with the entire pattern enclosed in square brackets.

To add a condition to the status_code field, you need to modify the pattern to be like “[..., status_code = 4*, bytes]”.

Option D is incorrect because similar to option C, the condition in the status_code field is incorrect.

The correct filter pattern is “[ip, user, username, timestamp, request, status_code = 4*, bytes]” or “[..., status_code = 4*, bytes]”.

Reference:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Counting404Responses.html

To create a metric filter for a CloudWatch Log Group that contains HTTP messages returned from an Apache server, we need to choose the fields that will be used as dimensions and the values that will be used to filter the log events.

Option A [ip, user, username, timestamp, request, status_code like 4xx, bytes] includes all the fields mentioned in the log events and filters the events based on status_code values that start with 4 and have any two digits after that. This option provides detailed information about each log event, including the user and the request, but it may generate a large number of metrics.

Option B [..., status_code = 4*, bytes] filters the log events based on the status_code values that start with 4, and it also includes the bytes field as a dimension. This option provides less detailed information about each log event than Option A, but it may generate fewer metrics.

Option C [..., 4xx, bytes] only includes the status_code values that start with 4 and the bytes field as dimensions. This option provides the least amount of information about each log event, but it generates the fewest number of metrics.

Option D [ip, user, username, timestamp, request, 4**, bytes] includes all the fields mentioned in the log events and filters the events based on status_code values that start with 4 and have any number of digits after that. This option provides detailed information about each log event, including the user and the request, but it may generate a large number of metrics.

In conclusion, the best option depends on the desired level of detail and the number of metrics that can be generated. Option A provides the most detailed information, while Option C generates the fewest metrics. Option B and Option D provide a balance between detail and the number of generated metrics.