Skip to main content

AWS CloudTrail - Cloud SIEM

This section has instructions for collecting AWS CloudTrail log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.

Sumo Logic Cloud SIEM supports the default AWS CloudTrail log format which includes all version 2 fields. See AWS CloudTrail log records documentation for more details.

Step 1: Enable AWS CloudTrail logs​

In this step, you configure AWS CloudTrail logging in AWS as described in AWS Help.

  1. Unless you’ve already done so, Configure CloudTrail in AWS.
  2. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For more information, see Grant Access to an AWS Product.

Step 2: Configure collection​

In this step, you configure an HTTP Source to collect AWS CloudTrail log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure an AWS CloudTrail Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the HTTP Source on the collector.

Configure a Hosted Collector​

  1. To create a new hosted collector, see Configure a Hosted Collector. 
  2. Fields. 
    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
    2. If all sources in this collector will be AWS CloudTrail sources, add an additional field with key _parser and value /Parsers/System/AWS/CloudTrail.
note

It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.

Configure an AWS CloudTrail Source​

  1. To configure a CloudTrail Source, see Configure an AWS CloudTrail source.
  2. Configure fields as shown below to forward CloudTrail logs to the Cloud SIEM platform.
    1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will ensure all logs for this source are forwarded to Cloud SIEM.
    2. Add another field named _parser with value /Parsers/System/AWS/CloudTrail.
  3. Click Save.

Step 3: Verify ingestion​

In this step, you verify that your logs are successfully making it into Cloud SIEM. 

  1. Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
    New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
  2. On the Log Mappings page search for "CloudTrail" and check under Record Volume.
    CloudTrail record volume
  3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records.
    CloudTrail search
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.