Skip to main content
Skip table of contents

(LRCloud Only) Configure AWS Config Events Using Cloud to Cloud

AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. The System Monitor Agent can import AWS Config events into LogRhythm for analysis. This document explains how to configure the collection of AWS Config events using the web console's cloud to cloud functionality. This is available to LRCloud customers only.

Prerequisites

Before you start to configure collection from AWS, you must ensure the following:

  • Customer is an LRCloud customer and has their environment hosted.
  • You have a valid AWS Access Key and Secret Access Key.

Initialize the Logs Source

  1. Log into the web console as an Restricted Administrator User.
  2. On the top navigation bar, click the Administration icon, and select Cloud Log Collection.
  3. At the top of the page, click New Log Source.
  4. Select the tile for AWS Config Events Sysmon Agent. 
    The Add AWS Config Events Log Source screen appears.
  5. Enter the following details:

    SettingDefault ValueDescription
    NameN/AEnter the name for this log source.
    DescriptionN/A(Optional) Enter a description for this log source.
    RegionN/A

    Enter the endpoint region code for the specific AWS CloudTrail S3 bucket (for example, us-east-1). For more information, refer to CloudTrail Regions and Endpoints.

    Access Key IDN/AEnter the AWS Access Key ID. for example, AKIAIOSFODNN7EXAMPLE
    Secret Access KeyN/A

    Enter the AWS Secret Access Key for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

    Resource TypeALLList the Resource types that the Open Collector should collect. To collect from all resource types use the value ALL; otherwise specify each value separate by a comma (,) without spaces. Possible Values: AWS::CloudTrail::Trail, AWS::EC2::CustomerGateway, AWS::EC2::EIP, AWS::EC2::InternetGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPNConnection, or AWS::EC2::VPNGateway. Example: ALL or AWS::EC2::Subnet,AWS::EC2::Volume,AWS::EC2::RouteTable.
  6. Click Save

Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.

The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the log source is moved to the new host.


For security purposes, the values entered are encrypted using LRCrypt.

Default Config Values for AWS Config Events Log Source


SettingDefault Value

MaxResultCount

100

StartupDelayInSeconds

30
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.