Skip to main content
Sumo Logic

Collect Logs for the AWS CloudTrail App

This page has instructions for configuring log collection for the AWS CloudTrail app. 

To configure an AWS CloudTrail Source, perform these steps:

  1. Configure CloudTrail in your AWS account.
  2. Confirm that logs are being delivered to the Amazon S3 bucket.
  3. Add an AWS CloudTrail Source to Sumo Logic.
  4. Grant Sumo Logic access to an Amazon S3 bucket.
  • Generate the Role-Based Access CloudFormation template in Sumo Logic and download the template.
  • Create the CloudFormation stack in AWS Management Console using the template.
  • Copy the Role ARN from the Outputs tab and paste it in the Role ARN field in Sumo Logic CloudTrail Source created in step 3. For more information, refer Configuring your AWS source with CloudFormation.
  1. Enable Sumo to track AWS Admin activity. This step is optional, but if you don't do it, the administrator activity panels in the AWS CloudTrail - User Monitoring dashboard won't be populated. 
  2. Install the Sumo Logic App for AWS CloudTrail.

Sample Log Message

{  
   "eventVersion":"1.01",
   "userIdentity":{  
      "type":"IAMUser",
      "principalId":"AIDAJ6IGVQ4XQZQDAYEOA",
      "arn":"arn:aws:iam::956882708938:user/Olaf",
      "accountId":"956882708938",
      "userName":"system"
   },
   "eventTime":"2017-09-27T20:00:10Z",
   "eventSource":"signin.amazonaws.com",
   "eventName":"ConsoleLogin",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"65.98.119.36",
   "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",
   "requestParameters":null,
   "responseElements":{  
      "ConsoleLogin":"Failure"
   },
   "additionalEventData":{  
      "MobileVersion":"No",
      "LoginTo":"https://console.aws.amazon.com/console/home?state\u003dhashArgs%23\u0026isauthcode\u003dtrue",
      "MFAUsed":"No"
   },
   "eventID":"f36c1d07-73cf-4ab8-84b1-04c93ac2aaeb"
}

Field Extraction Template

parse "eventSource\":\"*\"" as event_source 
| parse "\"sourceIPAddress\":\"*\"" as source_ipaddress 
| parse "\"eventName\":\"*\"" as event_name 
| parse "\"eventSource\":\"*\"" as event_source 
| parse "awsRegion\":\"*\"" as aws_Region 
| parse "\"userName\":\"*\"" as user

Query Sample

Created and Deleted Network and Security Events

_sourceCategory=AWS_EAGLE (*Security* OR *Network*) 
| parse "\"userName\":\"*\"" as user 
| parse "\"eventName\":\"*\"" as event
| parse regex field=event "^(?<event_type>[A-Z][a-z]+?)[A-Z]"
| where (event matches "*Security*" OR event matches "*Network*") and event_type in ("Create","Delete") 
| count by event 
| sort _count