Skip to main content
Sumo Logic

AWS CloudTrail Source

AWS CloudTrail records API calls made to AWS. This includes calls made using the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services. Add an AWS CloudTrail Source to upload these messages to Sumo Logic. The AWS CloudTrail Source automatically parses the logs prior to upload.

To configure an AWS CloudTrail Source:

  1. Grant Sumo Logic access to an Amazon S3 bucket.
  2. Configure CloudTrail in your AWS account.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. In Sumo Logic select Manage > Collection > Collection (Manage > Collection in the classic UI). 
  5. Select the hosted Collector for which you want to add the Source, and click Add Source
  6. Click AWS CloudTrail.
  7. Configure the settings as described in AWS Sources.
  8. Optional: Install the Sumo Logic App for AWS CloudTrail.

CloudTrail log objects

CloudTrail log objects are generated by AWS as a single JSON Records array containing a series of event objects. The AWS CloudTrail Source automatically applies boundary and timestamp processing rules to pull the individual event objects from the CloudTrail Records array as separate log messages within Sumo Logic.

The following is an example of an AWS CloudTrail file object:

{"Records":[{"eventVersion":"1.03","userIdentity":{"type":"Root","principalId":"XXXXXXXXXX","arn": 
"arn:aws:iam::XXXXXXXXXX:root","accountId":"XXXXXXXXXX","accessKeyId": "XXXXXXXXXXXXXXXX","sessionContext": 
{"attributes":{"mfaAuthenticated":"false", "creationDate":"2016-04-01T16:09:43Z"}}}, "eventTime": 
"2016-04-01T16:19:26Z","eventSource":"s3.amazonaws.com","eventName":"GetBucketLocation","awsRegion": 
"us-west-2","sourceIPAddress":" 192.168.1.1","userAgent":"[S3Console/0.4]","requestParameters": 
{"bucketName":"example"},"responseElements":null,"requestID":"DE61373E09329981","eventID": 
"d4877d6c-4bf2-4a46-82d5-c8d710905138","eventType":"AwsApiCall","recipientAccountId":"XXXXXXXXXX"}, 
{"eventVersion": "1.03","userIdentity":"type":"Root","principalId":"XXXXXXXXXX","arn": 
"arn:aws:iam::XXXXXXXXXX:root","accountId": "XXXXXXXXXX","accessKeyId":"XXXXXXXXXXXXXXXX","sessionContext": 
{"attributes":{"mfaAuthenticated":"false", "creationDate":"2016-04-01T16:09:43Z"}}},"eventTime": 
"2016-04-01T16:19:26Z","eventSource":"s3.amazonaws.com", "eventName":"GetBucketLocation","awsRegion": 
"us-west-2","sourceIPAddress":" 192.168.1.1","userAgent": "[S3Console/0.4]","requestParameters": 
{"bucketName":"example"},"responseElements":null,"requestID": "F1A6B08803D73C5A","eventID": 
"2b4d6eea-ecb8-4853-a1d2-f0b6b931d5bf","eventType":"AwsApiCall","recipientAccountId": 
"XXXXXXXXXX"}, {"eventVersion":"1.04","userIdentity":"type":"Root","principalId":"XXXXXXXXXX","arn": 
"arn:aws:iam::XXXXXXXXXX:root","accountId":"XXXXXXXXXX","accessKeyId":"XXXXXXXXXXXXXXXX","sessionContext": 
{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-04-01T16:09:43Z"}}},"eventTime": 
"2016-04-01T16:22:11Z","eventSource":"cloudtrail.amazonaws.com","eventName":"DescribeTrails","awsRegion": 
"us-west-2","sourceIPAddress":"10.1.1.1","userAgent":"console.amazonaws.com","requestParameters": 
{"trailNameList":[]},"responseElements":null,"requestID":"e36e19ff-f825-11e5-9015-0336c0231e57", "eventID": 
"9b5a6b39-0415-4c88-b7f1-698161bf028b","eventType":"AwsApiCall","recipientAccountId": 
"XXXXXXXXXX"},{"eventVersion": "1.04","userIdentity":"type":"Root","principalId":"XXXXXXXXXX", 
"arn":"arn:aws:iam::XXXXXXXXXX:root","accountId": "XXXXXXXXXX","accessKeyId":"XXXXXXXXXXXXXXXX", 
"sessionContext":{"attributes":{"mfaAuthenticated":"false", "creationDate":"2016-04-01T16:09:43Z"}}}, 
"eventTime":"2016-04-01T16:22:34Z","eventSource":"cloudtrail.amazonaws.com", "eventName":"DescribeTrails", 
"awsRegion":"us-west-2","sourceIPAddress":"10.1.1.1","userAgent":"console.amazonaws.com", "requestParameters":
{"trailNameList":[]},"responseElements":null,"requestID": "f0c79c48-f825-11e5-933d-65f8283355b7", "eventID":
"2f9837ef-f727-45d7-a217-2974d27cb998","eventType": "AwsApiCall","recipientAccountId":"XXXXXXXXXX"}}

CloudTrail events as seen in Sumo Logic:

coudtrail_events.png