Skip to main content
Sumo Logic

Set Up Admin Access for CloudTrail

To track Admin activity in your AWS account, and to provide data for all Administrator Activity Panels in the User Monitoring Dashboard, you'll need to inform Sumo Logic of the Admin AWS account. You can do this by uploading a CSV file via an HTTP Source.

This step is optional. But if you skip this step, three Administrator Activity Panels in the App won't be populated (since the Sumo Logic service won't be aware of the specific activity of each Admin user). All other Panels will work properly and will display information.

The HTTP Source can be added to the Hosted Collector that you’ve just set up (or any other Hosted Collector in your account).

Configure an HTTP Source

  1. Configure an HTTP Source on the new Hosted Collector, using the following settings:
    • For Name, enter Administrative Users.
    • For Source Category, enter admin_users.
    • Deselect Enable Timestamp Parsing.
    • All other options can use the default settings; optional fields can be left blank.
  2. Click Save, and make a note of the unique generated URL.

Upload admin_users CSV file to Sumo Logic

  1. Create a file named admin_users.csv.In admin_users.csv, type a list of all the AWS user names that belong to the Admin(s) in your AWS account; include just one user name on each line. For example:
dtaylor
landerson
athomas
rjackson

(Your organization's user names may look different; make sure that only one user name is on each line.)

  1. Upload the admin_users.csv file to the HTTP Source. For example, using cURL, you’d type curl -X POST -T admin_users.csv “<url>" making sure to replace <url> with the unique URL generated for your HTTP Source.
  2. To verify that the data has uploaded, run the following search after about 10 minutes:_sourceCategory=admin_users
  3. If the search returns the correct result, run the following search to save the data to a shared location that can be referenced by the Panels in the CloudTrail app:

_sourceCategory=admin_users
| parse "*" as admin_user
| count as count by admin_user
| fields -count
| save /shared/aws/cloudtrail/admin_users

Your search results should look similar to: