In this recipe, we queried our logs from the console. We can also query logs from the CLI. The following are some of the important CLI commands for querying CloudTrail logs:

• The aws cloudtrail lookup-events command can be used to query the last 90 days of automatically generated event logs. A pagination token is returned if there are more results.
• We can limit the number of items that are returned by the aws cloudtrail lookup-events command by specifying the max-items option; for example, aws cloudtrail lookup-events --max-items 10.
• We can specify a date range using the start-time and end-time parameters; for example, aws cloudtrail lookup-events --start-time 2019-01-12 --end-time 2019-10-12. We can also specify hours, minutes, and seconds with one of these parameters; for example, --start-time 2019-01-12T00:30:45.
• We can use the lookup-attributes parameter to specify the values of any parameter; for example, aws cloudtrail lookup-events --lookup-attributes "AttributeKey=Username,AttributeValue=i-07d6614e1dec5e537".

Let's go through some more important concepts related to CloudTrail logs:

• The CloudTrail service helps us achieve event-driven security by analyzing events and responding to them.
• CloudTrail only records events that involve AWS API calls. Therefore, if an application running on an EC2 instance throws an error, it won't be captured. CloudWatch can be used for logging from applications on EC2 or from Lambda functions.
• By default, a trail will record events in one region. However, we can configure a trail as a multi-region trail.
• CloudTrail can integrate with other AWS services to provide additional security and compliance. These integrations include CloudWatch for raising alarms, GuardDuty for analyzing patterns, Macie to discover, classify, and protect sensitive data, and so on.
• The current CloudTrail pricing model is as follows: the first tier in each region is free (except S3 and Lambda data events). After the free tier, CloudTrail charges us for management events and data events.