Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting CloudTrail Logs into Logstash

Tags:

amazon-web-services

elasticsearch

logstash

amazon-cloudtrail

I am trying to get logs from ClouldTrail into ElasticSearch so that we can see what is going on in our AWS account better.

I have set up both Logstash and ElasticSearch on my machine (Ubuntu 14.04), and can push text from stdin to ElasticSearch. However when I try to use the S3 input nothing is added to ElasticSearch.

Here is the conf file Im using, I have removed my amazon keys

input {
  s3 {
    bucket => 'ko-cloudtrail-log-bucket'
    secret_access_key => ''
    access_key_id => ''
    delete => false
    interval => '60'
    region => 'eu-west-1'
    type => 'CloudTrail'
    codec => cloudtrail {}
    }
}

output {
    stdout {}
    elasticsearch {
            host => '127.0.0.1'
     }
}

I have install the logstash-codec-cloudtrail codec but the documentation is pretty sparse.

I get no errors in my terminal even when running Logstash with -v and nothing is printed to stdout. Is there something I am missing?

like image 759
user1810626 Avatar asked Sep 29 '22 04:09

user1810626

1 Answers

Here's my cloudtrail input. It works great with one minor issue- it duplicates records. As the prefix indicates, I put the cloudtrail logs at s3://bucketname/cloudtrail, not the root.

The mutations are optional. The eventSource mutation is to make the logs a little more readable, and the ruby ingest_time gives me a date the record showed up in ELK- otherwise, it only has the time of the event. Finally, I drop a very common record that just adds noise to my system.

input {
  s3 {
    bucket => "bucketname"
    delete => false
    interval => 60 # seconds
    prefix => "cloudtrail/"
    type => "cloudtrail"
    codec => "cloudtrail"
    credentials => "/etc/logstash/s3_credentials.ini"
    sincedb_path => "/opt/logstash_cloudtrail/sincedb"
  }
}

filter {
  if [type] == "cloudtrail" {
    mutate {
      gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
      add_field => {
        "document_id" => "%{eventID}"
      }
    }
    if ! [ingest_time] {
      ruby {
        code => "event['ingest_time'] = Time.now.utc.strftime '%FT%TZ'"
      }
    }


    if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "secret_username" {
      drop {}
    }
  }
}

The credentials.ini format is explained on the s3 input page; it's just this:

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
like image 155
tedder42 Avatar answered Oct 06 '22 20:10

tedder42
Sign in to Comment

Related questions

Is there any difference on the url you use to Amazon S3 files?
How do you mock OpsWorks specific services/dependencies when developing locally with Kitchen and Chef?
AWS Route 53 Redirect to Status Page
Zip and download files from Amazon s3 with php
Solutions for a secure distributed cache
AWS Elastic Beanstalk - User Permission Problems
AWS node.js SDK error - SignatureDoesNotMatch: Signature expired
AWS S3 custom error document for access denied
Image upload amazon s3 android SDK 2.0
How AWS lambda supports different versions of NodeJS
Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
List chapters of a book from a public books API? [closed]
What is the best practice to monitor AWS EMR job running progress?
AWS RDS Error 2003
How could I store uploaded images to AWS S3 on PHP
Permission Denied Error when using scp to copy a file to Amazon EC2 instance from Mac OS
About permission in S3 file transfer
AWS aws.push ImportError: No module named boto in Ubuntu
Boto3: grabbing only selected objects from the S3 resource
Dockerfile copy files from amazon s3 or another source that needs credentials

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!