API - AWS Config Event
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. The System Monitor Agent can import AWS Config events into LogRhythm for analysis. This section explains how to configure the collection of AWS Config events via a LogRhythm System Monitor Agent.
Configure the cloudconfig.ini File
A LogRhythm System Monitor is required to collect log files. It needs a user account with access to the AWS API. With the credentials of the AWS IAM user created in the previous section, the cloudconfig.ini file is used to create a secure connection between the System Monitor Agent and AWS Config.
The cloudconfig.ini file contains many settings. The table below lists the available settings with the default value, the range of values when applicable, and a brief description.
Setting | Range | Default Value | Description |
---|---|---|---|
Region | CHANGE_THIS | The "Region" ID for the specific CloudTrail region (for example, us-east-1). For more information, refer to AWS Config Regions and Endpoints. | |
AccessKeyId | CHANGE_THIS | The AWS Access Key ID (see note below). | |
SecretAccessKey | CHANGE_THIS | The AWS Secret Access Key (see note below). | |
The Access Key ID and Secret Access Key must be encrypted using the lrcrypt command line utility, located in the System Monitor installation directory. See LogRhythm Password Encryption for more information. You must manually paste the encrypted values into the configuration file. | |||
APIPollingIntervalInMs | 1000–60000 | 5000 | The AWS API polling interval, in milliseconds. |
ResourceType | All | Resources for which configuration change events need to be collected from AWS. Possible values: AWS::CloudTrail::Trail,AWS::EC2::CustomerGateway,AWS::EC2::EIP, AWS::CloudTrail::Trail,AWS::EC2::CustomerGateway,AWS::EC2::EIPAWS::EC2::InternetGateway, Example: AWS::EC2::Subnet,AWS::EC2::Volume,AWS::EC2::RouteTable If you want to collect change events from ALL resources, write ALL. ResourceType=ALL | |
MaxResultCount | 1–100 | 100 | The number of objects to be fetched from the bucket in a single request. |
StartupDelayInSeconds | 30 | If the API needs to be queried when the System Monitor is started, it will wait this long before running. | |
(Optional) Proxy Settings | |||
ProxyServer | The IP address or DNS name of a proxy server to use for connecting to AWS. | ||
ProxyPort | The port to use on the proxy server. | ||
UserName | The user name to send if authentication is required on the proxy server. | ||
Password | The password for the specified user name. | ||
Domain | The domain to use for connecting to the proxy server. |
Edit the cloudconfig.ini file with the appropriate credentials and information to create a secure connection between the System Monitor Agent and AWS Config.
Before you begin these instructions, ensure that you have the Access Key ID and the Secret Access Key. These keys are needed to configure the cloudconfig.ini file.
- Open Windows Explorer and go to the following directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config
- Open cloudconfig.ini with a text editor.
Most of the configuration can be used as is. A few of the settings need to be changed so the LogRhythm Agent can access the AWS Config instance to collect log files. - For Region, replace CHANGE_THIS with the "Region" ID for the specific AWS Config region — for example, us-east-1. For more information, refer to AWS Config Regions and Endpoints.
- For AccessKeyId, replace CHANGE_THIS with the Access Key generated when you created the IAM user for this instance of AWS Config — encrypt with lrcrypt before adding to the INI file.
For SecretAccessKey, replace CHANGE_THIS with the Secret Access Key generated when you created the IAM user for this instance of AWS Config — encrypt with lrcrypt before adding to the INI file.
The AccessKeyId and SecretAccessKey values must be encrypted using the lrcrypt command line utility.
Save and close the file.
If you need to grant access to multiple users (Agents), you can create multiple cloudconfig.ini files and multiple AWS Config log sources.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API : AWS Config Event. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.