Figure out how to collect CloudTrail logs using the Elastic Agent (aws-s3 input) #79
Comments
zmoog
changed the title
zmoog
changed the title
OverviewHere is the overview of the solution. Architecture
StepsHere are the required steps to implement the solution.
|
Create a trail to export events to an S3 bucketVisit the AWS web console and create a trail, storing the trail the event in a S3 bucket. In this example, we create a trail named
|
Create an SQS queueWe need an SQS queue where we will send the S3 object creation notifications for the Create a new SQS queue named $ aws sqs create-queue --queue-name mbranca-cloudtrail-logs-notifications-queue
{
"QueueUrl": "https://sqs.eu-west-1.amazonaws.com/123/mbranca-cloudtrail-logs-notifications-queue"
} |
Allow the S3 service to publish message to the SQS queueAllow S3 to send object creation notifications from $ cat policy.json
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:root"
},
"Action": "SQS:*",
"Resource": "aws-cloudtrail-logs-123-2761c2fa"
},
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:eu-west-1:123:mbranca-cloudtrail-logs-notifications-queue"
}
]
}
# Set the SQS access policy
- Visit Amazon SQS > Queues > mbranca-cloudtrail-logs-notifications-queue > Access policy > Access policy (Permissions)
- Edit, paste the content of `policy.json`, and save. |
Set up the S3 bucket to send notification to an SQS queueThe S3 bucket will notify the SQS queue whenever any # Enable notifications
$ cat notifications.json
{
"QueueConfigurations": [
{
"Id": "Creations",
"QueueArn": "arn:aws:sqs:eu-west-1:123:mbranca-cloudtrail-logs-notifications-queue",
"Events": [
"s3:ObjectCreated:*"
],
"Filter": {
"Key": {
"FilterRules": [
{
"Name": "Prefix",
"Value": ""
},
{
"Name": "Suffix",
"Value": ""
}
]
}
}
}
]
}
aws s3api put-bucket-notification-configuration \
--bucket aws-cloudtrail-logs-1234-2761c2fa \
--notification-configuration file://notifications.json
|
CheckpointAfter this step, visit the AWS console and click on "Poll for messages" and you should be able to see a few messages with notification sent from S3.
Here's a sample notification: {
"Records": [
{
"eventVersion": "2.1",
"eventSource": "aws:s3",
"awsRegion": "eu-west-1",
"eventTime": "2024-03-03T12:17:09.882Z",
"eventName": "ObjectCreated:Put",
"userIdentity": {
"principalId": "<redacted>"
},
"requestParameters": {
"sourceIPAddress": "<redacted>"
},
"s3": {
"s3SchemaVersion": "1.0",
"configurationId": "Creations",
"bucket": {
"name": "aws-cloudtrail-logs-1234-2761c2fa",
"ownerIdentity": {
"principalId": "<redacted>"
},
"arn": "arn:aws:s3:::aws-cloudtrail-logs-1234-2761c2fa"
},
"object": {
"key": "AWSLogs/<redacted>/CloudTrail/eu-west-1/2024/03/03/<redacted>_CloudTrail_eu-west-1_20240303T1215Z_wf92tb6UZ23lB814.json.gz",
"size": 1206,
"eTag": "f19ba3a4761c6598231c456bdb698d80",
"sequencer": "0065E46A45D5F39177"
}
}
}
]
}
|
Set up the AWS integrationWe must set up the integration to receive notifications from the SQS queue.
After you assign the policy to an Agent, it will start collecting CloudTrails logs:
|
I want to collect Cloudtrail logs from a bucket named
aws-cloudtrail-logs-1234-2761c2fausing the Elastic Agent, and send them to Elasticsearch.The text was updated successfully, but these errors were encountered: