API - AWS S3 Server Access Event
Amazon Simple Storage Service (Amazon S3) provides developers and IT teams with secure, durable, highly-scalable cloud storage. The System Monitor Agent can import Amazon S3 events into LogRhythm for analysis. This section explains how to configure the collection of Amazon S3 events via a LogRhythm System Monitor Agent.
Configure the awsS3.ini File
A LogRhythm System Monitor is required to collect log files. It needs a user account with access to the AWS API. With the credentials of the AWS IAM user created in the previous section, the awsS3.ini file is used to create a secure connection between the LogRhythm System Monitor and Amazon S3.
The awsS3.ini file contains many settings. The table below lists the available settings with the default value, the range of values when applicable, and a brief description.
Endpoint region name of the AWS S3 bucket (for example, us-east-1). For more information, refer to Amazon S3 Regions and Endpoints.
|AccessKeyId||CHANGE_THIS||The AWS Access Key ID (see note below).|
|SecretAccessKey||CHANGE_THIS||The AWS Secret Access Key (see note below).|
The Access Key ID and Secret Access Key must be encrypted using the lrcrypt command line utility, located in the System Monitor installation directory. See LogRhythm Password Encryption for more information. You must manually paste the encrypted values into the configuration file.
|CHANGE_THIS||The name of the bucket where logs are stored.|
Logs cannot be collected from the root folder of the AWS S3 bucket. Data in subfolders will be ignored. You must specify the prefix logs/ in AWS, create a logs folder in the target bucket, and copy all files into that new folder.
|1–1000||1000||The number of objects to be fetched from the bucket in single request.|
|30||If the API needs to be queried when the System Monitor is started, it will wait this long before running.|
|(Optional) Proxy Settings|
|The IP address or DNS name of a proxy server to use for connecting to AWS.|
|ProxyPort||The port to use on the proxy server.|
|UserName||The user name to send if authentication is required on the proxy server.|
|Password||The password for the specified user name.|
|Domain||The domain to use for connecting to the proxy server.|
Edit the awsS3.ini file with the appropriate credentials and information to create a secure connection between the LogRhythm System Monitor and Amazon S3.
Before you begin these instructions, ensure that you have the Access Key ID and the Secret Access Key. These keys are needed to configure the awsS3.ini file.
- Open Windows Explorer and go to the following directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config
- Open awsS3.ini with a text editor.
Most of the configuration can be used as is. A few of the settings need to be changed so the LogRhythm Agent can access the Amazon S3 instance to collect log files.
- For Region, replace CHANGE_THIS with the "Region" ID for the specific Amazon S3 region — for example, us-east-1. For more information, refer to Amazon S3 Regions and Endpoints.
- For AccessKeyId, replace CHANGE_THIS with the Access Key generated when you created the IAM user for this instance of Amazon S3 — encrypt with lrcrypt before adding to the INI file.
For SecretAccessKey, replace CHANGE_THIS with the Secret Access Key generated when you created the IAM user for this instance of Amazon S3 — encrypt with lrcrypt before adding to the INI file.
The AccessKeyId and SecretAccessKey values must be encrypted using the lrcrypt command line utility.
- For BucketName, replace CHANGE_THIS with the name of the bucket where logs are stored for this instance of Amazon S3.
- For Folder, replace CHANGE_THIS with the full folder path of the location where log files are generated for this instance of Amazon S3.
- This should be the logs/ folder you created in the target bucket. All data in subfolders will be ignored.
- One log source supports one folder; add a new log source for another folder.
- The folder should only contain log files generated by AWS. Avoid modifying or renaming the log files generated by AWS.
- The string should contain '/' at the end.
Save and close the file.
If you need to grant access to multiple users (Agents), you can create multiple awsS3.ini files and multiple Amazon S3 log sources.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API : AWS S3 Server Access Event. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.