Using a LogRhythm System Monitor, you can collect events and alarms from AWS CloudWatch. It needs a user account with access to the AWS API. With the credentials of the AWS IAM user created in the previous section, the cloudwatch.ini file is used to create a secure connection between the LogRhythm System Monitor and AWS CloudWatch.
Configure the cloudwatch.ini File
The cloudwatch.ini file contains many settings. The table below lists the cloudwatch.ini settings with the default values, the range of values when applicable, and a brief description of each value.
|Region||CHANGE_THIS||The Region ID for the specific CloudWatch region – for example, us-east-1. For more information, see CloudWatch Regions and Endpoints.|
|AccessKeyId||CHANGE_THIS||The AWS Access Key ID (see the note below).|
|SecretAccessKey||CHANGE_THIS||The AWS Secret Access Key (see the note below).|
The Access Key ID and Secret Access Key must be encrypted using the lrcrypt command line utility located in the LogRhythm System Monitor installation directory. See LogRhythm Password Encryption for more information.
You must manually paste the encrypted values into the configuration file.
|APIPollingIntervalInMs||1000-60000||5000||The AWS API polling interval, in milliseconds.|
|APIRetryCount||0-5||3||The AWI API retry count.|
|MaxResultCount||1-50||50||The AWS API result count.|
Specifies how many logs can be fetched from AWS CloudWatch API in a single request.
This setting applies to AWS CloudWatch logs. It does not apply to AWS CloudWatch alarms.
|StartupDelayInSeconds||30||If the API needs to be queried when the System Monitor is started, it will wait this amount of time before running.|
|CollectCloudWatchAlarms||true||This line does not appear in the .ini file but these logs are collected automatically without add it. If you do not want to collect this data, add CollectCloudWatchAlarms=false to the .ini file.|
|CollectCloudWatchLogs||true||This line does not appear in the .ini file but these logs are collected automatically without add it. If you do not want to collect this data, add CollectCloudWatchLogs=false to the .ini file.|
|CloudWatchLogGroupPrefix||*||Specify which Log Groups you want to collect logs from. The default is all Log Groups.|
|Proxy Settings (Optional)|
|ProxyServer||The IP address or DNS name of a proxy server to use for connecting to AWS.|
|ProxyPort||The port to use on the proxy server.|
|UserName||The user name to send if authentication is required on the proxy server.|
|Password||The password for the specified user name.|
|Domain||The domain to use for connecting to the proxy server.|
Edit the cloudwatch.ini file with the appropriate credentials and information to create a secure connection between the LogRhythm System Monitor and AWS CloudWatch.
Before you begin these instructions, have the Access Key and the Secret Access Key. These keys are needed to configure the cloudwatch.ini file.
- Open Windows Explorer and go to the following directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config
- Open cloudwatch.ini with a text editor.
Most of the configuration can be used as is. A few of the settings need to be changed so the LogRhythm Agent can access the CloudWatch instance to collect log files.
- For Region, replace CHANGE_THIS with the "Region" ID for the specific CloudWatch region — for example, us-east-1. For more information, see CloudWatch Regions and Endpoints.
- For AccessKeyId, replace CHANGE_THIS with the Access Key generated when you created the IAM user for this instance of CloudWatch — encrypt with lrcrypt before adding to the INI file.
For SecretAccessKey, replace CHANGE_THIS with the Secret Access Key generated when you created the IAM user for this instance of CloudWatch — encrypt with lrcrypt before adding to the INI file.
The AccessKeyId and SecretAccessKey values must be encrypted using the lrcrypt command line utility.
Save and close the file.
If you need to grant access to multiple users (Agents), you can create multiple cloudwatch.ini files and multiple CloudWatch log sources.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API : AWS CloudWatch Alarm. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.