Amazon Simple Storage Service (Amazon S3) provides developers and IT teams with secure, durable, highly scalable cloud storage. The System Monitor Agent can import Amazon S3 events into LogRhythm for analysis. This document explains how to configure the collection of Amazon S3 events using the web console's cloud to cloud functionality. This is available to LRCloud customers only.
Before you start to configure collection from AWS, you must ensure the following:
- Customer is an LRCloud customer and has their environment hosted.
- You have a valid AWS Access Key and Secret Access Key.
Initialize the Logs Source
- Log into the web console as an Restricted Administrator User.
- On the top navigation bar, click the Administration icon, and select Cloud Log Collection.
- At the top of the page, click New Log Source.
- Select the tile for AWS S3 Server Access Sysmon Agent.
The AWS S3 Server Access Log Source screen appears.
Enter the following details:
Setting Description Name Enter the name for this log source. Description (Optional) Enter a description for this log source. Region
Enter the endpoint region code for the specific AWS CloudTrail S3 bucket (for example, us-east-1). For more information, refer to CloudTrail Regions and Endpoints.
Access Key ID
Enter the AWS Access Key ID. for example, AKIAIOSFODNN7EXAMPLE
Secret Access Key
Enter the AWS Secret Access Key for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Bucket Name Enter he name of the bucket where logs are stored. Folder Logs cannot be collected from the root folder of the AWS S3 bucket. Before collection, there needs to be a logs folder in the target bucket, and copy all files into that new folder. For example, 'logs/'.
- Click Save.
Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.
The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the logs source is moved to the new host.
For security purposes, the values entered are encrypted LRCrypt.
Default Config Values for AWS S3 Server Access Events Log Source