Log Collection AWS: The Basics

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

The Log Collector service collects events from Amazon Web Services (AWS) CloudTrail. CloudTrail records AWS API calls for an account. The events contain the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. The AWS API call history provided by CloudTrail events enables security analysis, resource change tracking, and compliance auditing. CloudTrail uses Amazon S3 for log file storage and delivery. Security Analytics copies the log files from the cloud (S3 bucket), and sends the events contained in the files to the Log Collector.

Deployment Scenario

The following figure illustrates how you deploy the AWS (CloudTrail) Collection Protocol in Security Analytics.

AWS_Deployment.png

Configure AWS (CloudTrail) Collection Protocol in Security Analytics

You configure the Log Collector to use AWS (CloudTrail) collection for an event source in the event Source tab of the Log Collector parameter view.  The following procedure explains the basic workflow for configuring an event source for AWS (CloudTrail) Collection in Security Analytics. Please refer to:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Collection service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config to display the Log Collection configuration parameter tabs.
    ConfigAWSProtocol1.png
  4. Click the Event Sources tab.
  5. Select Plugins as the collection protocol and select Config.
  6. Click Icon-Add.png and select cloudtrail as the event source category.
    The event source category is part of the content you downloaded from LIVE.
    ConfigAWSProtocol2.png
  7. Select the AWS (CloudTrail) category and click Icon-Add.png.
    ConfigAWSProtocol3.png
  8. Specify the basic parameters required for the AWS (CloudTrail) event source.
  9. Click AdvcdExpandBtn.PNG and specify additional parameters that enhance how the AWS (CloudTrail) protocol handles event collection for the event source.

Configure Event Sources to Use AWS (CloudTrail) Collection Protocol

You need to configure each event source that uses the AWS (CloudTrail) Collection protocol to communicate with Security Analytics (see Step 2: Configure AWS (CloudTrail) Event Sources to Send Events to Security Analytics).

Attachments

    Outcomes