AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. The System Monitor Agent can import AWS Config events into LogRhythm for analysis. This document explains how to configure the collection of AWS Config events using the web console's cloud to cloud functionality. This is available to LRCloud customers only.
Prerequisites
Before you start to configure collection from AWS, you must ensure the following:
-
Customer is an LRCloud customer and has their environment hosted.
-
You have a valid AWS Access Key and Secret Access Key.
Initialize the Logs Source
-
Log into the web console as an Restricted Administrator User.
-
On the top navigation bar, click the Administration icon, and select Cloud Log Collection.
-
At the top of the page, click New Log Source.
-
Select the tile for AWS Config Events Sysmon Agent.
The Add AWS Config Events Log Source screen appears.
-
Enter the following details:
Setting
Default Value
Description
Name
N/A
Enter the name for this log source.
Description
N/A
(Optional) Enter a description for this log source.
Region
N/A
Enter the endpoint region code for the specific AWS CloudTrail S3 bucket (for example, us-east-1). For more information, refer to CloudTrail Regions and Endpoints.
Access Key ID
N/A
Enter the AWS Access Key ID. for example, AKIAIOSFODNN7EXAMPLE
Secret Access Key
N/A
Enter the AWS Secret Access Key for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Resource Type
ALL
List the Resource types that the Open Collector should collect. To collect from all resource types use the value ALL; otherwise specify each value separate by a comma (,) without spaces. Possible Values: AWS::CloudTrail::Trail, AWS::EC2::CustomerGateway, AWS::EC2::EIP, AWS::EC2::InternetGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPNConnection, or AWS::EC2::VPNGateway. Example: ALL or AWS::EC2::Subnet,AWS::EC2::Volume,AWS::EC2::RouteTable.
-
Click Save.
Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.
The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the log source is moved to the new host.
For security purposes, the values entered are encrypted using LRCrypt.
Default Config Values for AWS Config Events Log Source
|
Setting |
Default Value |
|---|---|
|
MaxResultCount |
100 |
|
StartupDelayInSeconds |
30 |