AWS CloudTrail provides a management system that enables users to manage and deploy networks at geographically distributed locations. The System Monitor Agent can import CloudTrail events into LogRhythm for analysis. This section explains how to configure the collection of CloudTrail events via the System Monitor.
Configure the cloudtrail.ini File
A System Monitor Agent is required to collect log files. It needs a user account with access to the AWS API. With the credentials of the AWS IAM user created in the previous section, the cloudtrail.ini file is used to create a secure connection between the System Monitor and AWS CloudTrail.
The cloudtrail.ini file contains many settings. The table below lists the cloudtrail.ini settings with the default value, the range of values when applicable, and a brief description of the value.
The endpoint region code for the specific AWS CloudTrail S3 bucket (for example, us-east-1). For more information, refer to CloudTrail Regions and Endpoints.
AWS CloudTrail records all global events created by CloudFront, IAM, and AWS STS in the region in which they were created, the US East (N. Virginia) region, us-east-1. This makes CloudTrail's treatment of these services consistent with that of other AWS global services.
To continue receiving global service events outside of US East (N. Virginia), convert single-region trails using global service events outside of US East (N. Virginia) into multi-region trails. Also, update the region of your lookup-events API calls to view global service events.
|AccessKeyId||CHANGE_THIS||The AWS Access Key ID (see note below).|
|SecretAccessKey||CHANGE_THIS||The AWS Secret Access Key (see note below).|
The Access Key ID and Secret Access Key must be encrypted using the lrcrypt command line utility, located in the System Monitor installation directory. See LogRhythm Password Encryption for more information. You must manually paste the encrypted values into the configuration file.
|1000–60000||5000||The AWS API polling interval, in milliseconds.|
|0–5||3||The AWS API retry count.|
|1–50||50||The AWS API result count.|
|30 seconds||If the API needs to be queried when the System Monitor is started, it will wait this long before running.|
|NumberOfBackDaysData||0-7 days||1 day|
Number of days back you want to fetch data.
If you want to use the NumberOfBackMinutesData setting, you must set NumberOfBackDaysData=0.
|NumberOfBackMinutesData||40-1440 minutes||40 minutes|
Number of minutes back you want to fetch data.
When using this setting, you must set NumberOfBackDaysData=0.
NumberOfBackMinutesData must always be greater than BackOffTime.
|BackOffTime||15-1440 minutes||15 minutes|
This setting is used to sync the events collection between the AWS CloudTrail server and the Agent.
BackOffTime must always be less than NumberOfBackMinutesData.
|(Optional) Proxy Settings|
|The IP address or DNS name of a proxy server to use for connecting to AWS.|
|ProxyPort||The port to use on the proxy server.|
|UserName||The username to send if authentication is required on the proxy server.|
|Password||The password for the specified user name.|
|Domain||The domain to use for connecting to the proxy server.|
Edit the cloudtrail.ini file with the appropriate credentials and information to create a secure connection between the System Monitor and AWS CloudTrail.
Before you begin these instructions, ensure that you have the Access Key ID and the Secret Access Key. These keys are needed to configure the cloudtrail.ini file.
- Open Windows Explorer and go to the following directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config
- Open cloudtrail.ini with a text editor.
Most of the configuration can be used as is. A few of the settings need to be changed so the LogRhythm Agent can access the CloudTrail instance to collect log files.
For Region, replace CHANGE_THIS with the "Region" ID for the specific CloudTrail region — for example, us-east-1. For more information, refer to CloudTrail Regions and Endpoints.
- For AccessKeyId, replace CHANGE_THIS with the Access Key generated when you created the IAM user for this instance of CloudTrail — encrypt with lrcrypt before adding to the INI file.
For SecretAccessKey, replace CHANGE_THIS with the Secret Access Key generated when you created the IAM user for this instance of CloudTrail — encrypt with lrcrypt before adding to the INI file.
The AccessKeyId and SecretAccessKey values must be encrypted using the lrcrypt command line utility.
Save and close the file.
If you need to grant access to multiple users (Agents), you can create multiple cloudtrail.ini files and multiple CloudTrail log sources.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API : AWS CloudTrail. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.