To track Admin activity in your AWS account, and to provide data for all Administrator Activity Panels in the User Monitoring Dashboard, you'll need to inform Sumo Logic of the Admin AWS account. You can do this by uploading a CSV file via an HTTP Source.
This step is optional. But if you skip this step, three Administrator Activity panels in the app won't be populated (since the Sumo Logic service won't be aware of the specific activity of each Admin user). All other panels will work properly and will display information.
Configure an HTTP source
- Configure an HTTP Source on a Hosted Collector, either the collector where you installed CloudTrail source, or another collector, if you prefer. Use the using the following settings:
- For Name, enter Administrative Users.
- For Source Category, enter admin_users.
- Deselect Enable Timestamp Parsing.
- All other options can use the default settings; optional fields can be left blank.
- Click Save, and make a note of the generated URL for the source.
Upload admin_users file to Sumo
- Create a file named
admin_users.csvthat contains a list of all the AWS usernames of Admin(s) in your AWS account, including one username on each line. For example:
dtaylor landerson athomas rjackson
(Your organization's user names may look different; make sure that only one user name is on each line.)
- Upload the admin_users.csv file to the HTTP Source. For example, using cURL, you’d type curl -X POST -T admin_users.csv “<url>" making sure to replace <url> with the unique URL generated for your HTTP Source.
- To verify that the data has uploaded, run the following search after about 10 minutes:_sourceCategory=admin_users
- If the search returns the correct result, run the following search to save the data to a shared location that can be referenced by the Panels in the CloudTrail app:
| parse "*" as admin_user
| count as count by admin_user
| fields -count
| save /shared/aws/cloudtrail/admin_users
Your search results should look similar to: