Skip to main content
Sumo Logic

Collect Logs for the AWS CloudTrail App

This page has instructions for configuring log collection for the AWS CloudTrail app. 

To configure an AWS CloudTrail Source, perform these steps:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. Add an AWS CloudTrail Source to Sumo Logic.
  5. Enable Sumo to track AWS Admin activity. This step is optional, but if you don't do it, the administrator activity panels in the AWS CloudTrail - User Monitoring dashboard won't be populated. 
  6. Install the Sumo Logic App for AWS CloudTrail.

Sample Log Message

{  
   "eventVersion":"1.01",
   "userIdentity":{  
      "type":"IAMUser",
      "principalId":"AIDAJ6IGVQ4XQZQDAYEOA",
      "arn":"arn:aws:iam::956882708938:user/Olaf",
      "accountId":"956882708938",
      "userName":"system"
   },
   "eventTime":"2017-09-27T20:00:10Z",
   "eventSource":"signin.amazonaws.com",
   "eventName":"ConsoleLogin",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"65.98.119.36",
   "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",
   "requestParameters":null,
   "responseElements":{  
      "ConsoleLogin":"Failure"
   },
   "additionalEventData":{  
      "MobileVersion":"No",
      "LoginTo":"https://console.aws.amazon.com/console/home?state\u003dhashArgs%23\u0026isauthcode\u003dtrue",
      "MFAUsed":"No"
   },
   "eventID":"f36c1d07-73cf-4ab8-84b1-04c93ac2aaeb"
}

Field Extraction Template

parse "eventSource\":\"*\"" as event_source 
| parse "\"sourceIPAddress\":\"*\"" as source_ipaddress 
| parse "\"eventName\":\"*\"" as event_name 
| parse "\"eventSource\":\"*\"" as event_source 
| parse "awsRegion\":\"*\"" as aws_Region 
| parse "\"userName\":\"*\"" as user

Query Sample

Created and Deleted Network and Security Events

_sourceCategory=AWS_EAGLE (*Security* OR *Network*) 
| parse "\"userName\":\"*\"" as user 
| parse "\"eventName\":\"*\"" as event
| parse regex field=event "^(?<event_type>[A-Z][a-z]+?)[A-Z]"
| where (event matches "*Security*" OR event matches "*Network*") and event_type in ("Create","Delete") 
| count by event 
| sort _count