Log Collection AWS: References - AWS (CloudTrail) Collection Configuration Parameters

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic describes the AWS (CloudTrail) event source configuration parameters.

To access the AWS Collection Configuration Parameters:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select Plugins/Config from the drop-down menu.

AddAWSSrc3.PNG

The Plugins/Config view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete AWS (CloudTrail) event source types.

                           
FeatureDescription
Icon-Add.png Displays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.
Icon_Delete_sm.png Deletes the selected event source types from the Event Categories panel.
Checkbox.png Selects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Sources Types Dialog

The Available Event Source Types dialog displays the list of supported event source types.

                   
FeatureDescription
Checkbox.pngSelects the event source type that you want to add.
NameDisplay the event source types that are available to add.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

The AWS (CloudTrail) Sources panel displays a list of existing AWS (CloudTrail) firewall event sources. Use this section to add or delete event sources and associated communication parameters.

Toolbar

The following table provides descriptions of the toolbar options.

                                    
FeatureDescription
Icon-Add.png

Displays the Add Source dialog in which you define the parameters for a AWS (CloudTrail) Firewall host.

Icon_Delete_sm.png

Deletes the host that you selected.

icon-edit.png

Opens the Edit Source dialog in which you edit the parameters for the selected AWS (CloudTrail) event source.

Select multiple event sources and click icon-edit.png to open the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

ImportSourceIcon.PNG

Opens the Bulk Add Option dialog in which you can import AWS (CloudTrail) hosts in bulk from a comma-separated values (CSV) file.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

ExportSourceIcon.PNG

Creates a .csv file that contains the parameters for the selected AWS (CloudTrail) hosts.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

testConnection.PNG

Validates the configuration parameters for the selected AWS (CloudTrail) Firewall hosts.

Refer to Test Event Source Connections in Bulk for detailed steps on how to use this function.

Add or Edit Source Dialog

The Add Source dialog and the Edit Source dialog contain the same information.

Validates the connection to Event Source Address.

                                                                                  
ParameterDescription
Basic
Name *Name of the event source.
Enabled Checkbox.pngSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Account Id *Account Identification code of the S3 Bucket
S3 Bucket Name *

Name of the AWS (CloudTrail) S3 bucket.

Amazon S3 bucket names are globally unique, regardless of the AWS (CloudTrail) region in which you create the bucket. You specify the name at the time you create the bucket.

Bucket names should comply with DNS naming conventions. The rules for DNS-compliant bucket names are:

  • Bucket names must be at least three and no more than 63 characters long.
  • Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period “.”. Bucket names can contain lowercase letters, numbers, and hyphens. Each label must start and end with a lowercase letter or a number.
  • Bucket names must not be formatted as an IP address (for example, 192.168.5.4).

The following examples are valid bucket names:

  • myawsbucket
  • my.aws.bucket
  • myawsbucket.1

The following examples are invalid bucket names:

  • .myawsbucket  -   Do not start a Bucket Name with a period ".".
  • myawsbucket. - Do not end a Bucket Name with a period ".".
  • my..examplebucket - Only use one period between labels.
Access Key *Key used to access the S3 bucket. Access Keys are used to make seure REST or Query protocol requests to any AWS service API.  Please refer to Manage User Credentials on the Amazon Web Services support site for more information on Access Keys.
Secret Key *Secret key used to access the S3 bucket.
Region *Region of the S3 bucket. us-east-1 is the default value.
Start Date *Starting date and time when AWS (CloudTrail) collection is started for the first time.
Log File PrefixPrefix of the files to be processed.

Note: If you set a prefix when you set up your CloudTrail service, make sure to enter the same prefix in this parameter.

Advanced
Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables / disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.

If you change this value, the change takes effect immediately (no restart required).

Command Args

Arguments added to the script.

Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 60.

For example, if you specify 60, the collector schedules a polling of the event source every 60 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 60 seconds for the polling to start because the threads are busy.

SSL Enabled Checkbox.png

Select the check box to communicate using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.

The check box is selected by default.

Test Connection

Validates the configuration parameters specified in this dialog are correct.  For example, this test validates that:

  • Security Analytics can connect with the S3 Bucket in AWS using the credentials specified in this dialog.
  • Security Analytics can download a log file from the bucket (test connection would fail if there were no log files for the entire bucket, but this would be extremely unlikely).
Cancel

Closes the dialog without adding the AWS (CloudTrail).

OK

Adds the current parameter values as a new AWS (CloudTrail).

You are here: AWS (CloudTrail) Collection Configuration Guide > References - AWS (CloudTrail) Collection Configuration Parameters

Attachments

    Outcomes