Unable to send cloudwatch logs to loggly using a blueprint lambda - Invalid ciphertext

DevOps Asked by joshk132 on August 22, 2021

I am trying to use the loggly Lambda blueprint to send cloudwatch logs to loggly. I am doing this because I have a bunch of lambdas that I need to have a single point of viewing logs. I’ve followed this guide and have run into an issue when I check the lambda logs after a test

Command used to do ciphertext

aws kms encrypt --key-id alias/logglyCustomerToken --plaintext "<my token>"

KMS key was created using symetric and default settings, can’t delete key to try again or at least I don’t know how to delete it and thinking I shouldn’t change the code to match a new one

Lambda log message when failed test

INFO    InvalidCiphertextException: null
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'InvalidCiphertextException',
  time: 2020-07-08T02:48:55.536Z,
  requestId: 'cf0df165-5a59-4db0-beef-5d1ae3619c37',
  statusCode: 400,
  retryable: false,
  retryDelay: 79.27899980360486

One Answer

Follow these steps to fix InvalidCiphertextException:

  1. Open the Lambda function in AWS console.

  2. Scroll down to the Environment Variables section & click Edit:

enter image description here

  1. Delete the value of kmsEncryptedCustomerToken & replace it with the customer token you got from https://<your-company> The token looks like this: 72cf6d64-256e-449d-aabd-49e1f422ed58.

  2. Expand the Encryption Configuration section at the bottom.

  3. Select Enable helpers for encryption in transit.

  4. Click the Encrypt button that appears next to kmsEncryptedCustomerToken.

enter image description here

  1. Select the logglyCustomerToken KMS key (CMK) & Encrypt.

  2. Finally, Save the environment variables.

The Lambda function test should succeed now. If you face any other issues or need a complete end-to-end screenshot-guided tutorial for the entire process of sending CloudWatch Logs to Loggly, please see my blog post.

Correct answer by Harish KM on August 22, 2021

Add your own answers!

Related Questions

Terraform foreach multiple map variables

1  Asked on January 16, 2021 by stravze


How to fetch PublishedPort from inspect

0  Asked on January 11, 2021 by executable


How to backup Amazon Cognito?

3  Asked on January 8, 2021 by richard-slater


Dedicated/Separate Git Repo as Terraform Remote Backend

1  Asked on October 10, 2020 by haneef-ibn-ahmad


Graylog – docker swarm fields

0  Asked on September 29, 2020 by wer-bn


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP