Install the Sumo Logic App
Now that you have set up collection for AWS CloudTrail, install the Sumo Logic App for CloudTrail to use the pre-configured searches and dashboards that provide visibility into your environment.
To install the app:
- Select App Catalog, search for and select the app, and click Add to Library. (In the classic UI, click Library, click Apps, select the app, and click Install. If you don't find the app under Apps, it might be a preview app. Try clicking Preview to find the app.)
- Click Preview Dashboards if you'd like to see a preview of the dashboards included with the app before installing.
- In the Install Application dialog box, select the installation path (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Select either of these options for the log data source.
- Choose Select from Existing Source Categories, and select the source catalog from the Source Category list.
- Choose Enter a Custom Data Filter and enter a custom source category beginning with an underscore. Example: (
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.
Panels will start to fill automatically. It's important to note that each Panel slowly fills with data matching the time range query and received since the Panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
What if data isn't displaying in all Panels?
Amazon S3 buckets are scanned for new files according to the Scan Interval you set when configuring the S3 Source used for AWS CloudTrail logs. Even if you set a shorter Scan Interval, say five minutes, if no new files are found, the Scan Interval is automatically doubled, up to 24 hours (you can read more in Set the S3 Source Scan Interval). If the Scan Interval increases, it means that a Panel set to a 60-minute time range may not find any data to display, because no files have uploaded to Sumo Logic. This isn't to say that no data is being collected from your S3 bucket; you can confirm that data is being collected on the Status page.
Additionally, you can change the time range of a Panel. Even though these have been preconfigured, they can be edited just like any other Panel. You'll find instructions in Changing the time range of a Panel.
Geo Location of All Users. Using a geolocation search, shows the locations of the IPs used by visitors on a map of the world.
Created Resources. Displays a day’s worth of created resources for 24 hours in a pie chart.
Deleted Resources Over Time. Displays the resources deleted over the past 24 hours in a bar chart.
Top 10 Users. This Panel displays the top 10 most active AWS users in a column chart for the past 24 hours.
Failed Logins. Displays the number of failed logins for the past 24 hours in a single value chart.
Created and Deleted Network and Security Events. Displays a pie chart of created or deleted events for the past 24 hours.
User Monitoring Dashboard
Geo Location of All Users. Using a geolocation search, shows the locations of the IPs used by visitors on a map of the world for the last 24 hours.
Administrative Activities Over Time. Shows which administrative users have been active every hour in a stacked column chart over the past 24 hours.
Top 10 Activities by Administrative Users. See which activities have been performed the most by administrative users in a bar chart for the last 24 hours.
Top 10 Users. This Panel displays the top 10 most active AWS users in a column chart for the last 24 hours.
Launched and Terminated Instances by User. Shows the number of instances that have either been launched or terminated every hour over the past 24 hours in a stacked column chart.
Recent Activity by Administrative Users. Activity over the last three hours are displayed by the name of the event (CreateUser, PutUserPolicy, and so on) and by the user’s name and location.
Network and Security Dashboard
Authorization Failures from All Countries. Uses a geolocation search to display a map of where failures occur world-wide.
Recent Authorization Failures. Shows the most recent authorization failures.
Authorization Failures Over Time. View the number of “Access Denied” errors generated every hour over the past 24 hours.
Network and Security Events Over Time. Displays the number of specific events every hour over the past 24 hours.
Recent Security Group and Network ACL Changes. Shows the most recent changes that were made to security groups in the form of authorizing ingress to a security group or the creation of a network access control list over the past three hours.
Network ACL with All Allowed Ingress/Egress. Displays a list all of inbound or outbound events where ingress or egress for a particular subnet was allowed for all possible ports.
Created and Deleted Network and Security Events. Displays a chart of created or deleted events.
Short Lived Critical Operations. The search behind this Panel watches for users, groups, or policies that are created and then deleted within a span of 10 minutes.
Action Events. Displays a list of events that correspond to a user performing a certain AWS action over the past hour.
Requested AWS Services Over Time. Shows the number of requests every hour over the past 24 hours for AWS services, like EC2 and IAM.
Events by AWS Region. Makes it easy to watch the number of events in each AWS region every hour over the past 24 hours.
Recent Elastic IP Address Operations. View the most recent operations (from the past three hours), displayed by IP address, user, and AWS region.
Created Resources Over Time. Displays a day’s worth of created resources every hour across your deployment.
Deleted Resources Over Time. Displays the resources deleted every hour over the past 24 hours.
Console Logins Dashboard
Geo Location of All Users. Uses a geo lookup operation to display the locations of all users by IP address on a map of the world for the last 24 hours.
Login Events By User. Displays login success and failure events per user on a timeline using timeslices of one hour as a stacked column chart for the last 24 hours.
Logins Over Time. Shows login success and failure events on a timeline using timeslices of one hour as a line chart for the last 24 hours.
Logins from Multiple IP. Provides information on logins from multiple IP addresses in an aggregation table, including the user name and number of instances for the last 24 hours.
Logins from Outside the USA. Displays logins from locations outside the United States as an aggregation table, including the user name, country code, login result status, and count for the last 24 hours.
Logins without MFA. Shows users who have logged in without using multi-factor authentication (MFA) in an aggregation table, including the user name, login result status, and count for the last 24 hours.