Skip to main content

Ingest AWS CloudTrail Data into Cloud SIEM

Sumo Logic Cloud SIEM supports the default AWS CloudTrail log format which includes all version 2 fields. See AWS CloudTrail log records documentation for more details.

To ingest AWS CloudTrail data into Cloud SIEM:

  1. Unless you’ve already done so, Configure CloudTrail in AWS.
  2. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For more information, see Grant Access to an AWS Product.
  3. Configure an AWS CloudTrail source on a collector. When you configure the source, do the following:
    1. Click the +Add Field link, and add a field whose name is _siemForward and value is true. This will ensure all logs for this source are forwarded to Cloud SIEM.
    2. Add another field named _parser with value /Parsers/System/AWS/CloudTrail. This ensures that the CloudTrail logs are parsed and normalized into structured records in Cloud SIEM.
  4. To verify that your logs are successfully making it into Cloud SIEM. 
    1. Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
    2. On the Log Mappings tab search for "CloudTrail" and check the Records columns.
    3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records:
      _index=sec_record* and metadata_product = "CloudTrail"
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.