Skip to main content
Sumo Logic

Collect Logs for the AWS CloudTrail App

This page has instructions for configuring log collection for the AWS CloudTrail app. 

To use the AWS CloudTrail app in multiple environments, see Configure the AWS CloudTrail App in Multiple Environments.

Before you begin

Before you begin, you must configure AWS CloudTrail logging to an S3 bucket.

  1. Configure CloudTrail in your AWS account.
  2. Confirm that logs are being delivered to the Amazon S3 bucket.

Configure AWS CloudTrail Collection

To configure an AWS CloudTrail Source, perform these steps:

  1. Add an AWS CloudTrail Source to Sumo Logic.
  2. Grant Sumo Logic access to an Amazon S3 bucket.
  • Generate the Role-Based Access CloudFormation template in Sumo Logic and download the template.
  • Create the CloudFormation stack in AWS Management Console using the template.
  • Copy the Role ARN from the Outputs tab and paste it in the Role ARN field in Sumo Logic CloudTrail Source created in step 3. For more information, refer Configuring your AWS source with CloudFormation.
  1. Enable Sumo to track AWS Admin activity. This step is optional, but if you don't do it, the administrator activity panels in the AWS CloudTrail - User Monitoring dashboard won't be populated. 
  2. Install the Sumo Logic App for AWS CloudTrail.

Sample Log Message

   "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",

Field Extraction Template

| parse "\"sourceIPAddress\":\"*\"" as source_ipaddress 
| parse "\"eventName\":\"*\"" as event_name 
| parse "\"eventSource\":\"*\"" as event_source 
| parse "\"awsRegion\":\"*\"" as aws_Region 
| parse "\"userName\":\"*\"" as user

Query Sample

Created and Deleted Network and Security Events

_sourceCategory=AWS_EAGLE (*Security* OR *Network*) 
| parse "\"userName\":\"*\"" as user 
| parse "\"eventName\":\"*\"" as event
| parse regex field=event "^(?<event_type>[A-Z][a-z]+?)[A-Z]"
| where (event matches "*Security*" OR event matches "*Network*") and event_type in ("Create","Delete") 
| count by event 
| sort _count