Skip to main content
Sumo Logic

Collect logs for the AWS CloudTrail App

To configure an AWS CloudTrail Source, perform these steps:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. Add an AWS CloudTrail Source to Sumo Logic.
  5. Install the Sumo Logic App for AWS CloudTrail.

Sample Log Message

{  
   "eventVersion":"1.01",
   "userIdentity":{  
      "type":"IAMUser",
      "principalId":"AIDAJ6IGVQ4XQZQDAYEOA",
      "arn":"arn:aws:iam::956882708938:user/Olaf",
      "accountId":"956882708938",
      "userName":"system"
   },
   "eventTime":"2017-09-27T20:00:10Z",
   "eventSource":"signin.amazonaws.com",
   "eventName":"ConsoleLogin",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"65.98.119.36",
   "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",
   "requestParameters":null,
   "responseElements":{  
      "ConsoleLogin":"Failure"
   },
   "additionalEventData":{  
      "MobileVersion":"No",
      "LoginTo":"https://console.aws.amazon.com/console/home?state\u003dhashArgs%23\u0026isauthcode\u003dtrue",
      "MFAUsed":"No"
   },
   "eventID":"f36c1d07-73cf-4ab8-84b1-04c93ac2aaeb"
}

Query Sample

Created and Deleted Network and Security Events

_sourceCategory=AWS_EAGLE (*Security* OR *Network*) 
| parse "\"userName\":\"*\"" as user 
| parse "\"eventName\":\"*\"" as event
| parse regex field=event "^(?<event_type>[A-Z][a-z]+?)[A-Z]"
| where (event matches "*Security*" OR event matches "*Network*") and event_type in ("Create","Delete") 
| count by event 
| sort _count