Skip to main content
Skip table of contents

AWS CloudTrail Events API Collection

AWS CloudTrail provides a management system that enables users to manage and deploy networks at geographically distributed locations. The System Monitor Agent can import CloudTrail events into LogRhythm for analysis. This document explains how to configure the collection of CloudTrail events using the Web Console's cloud-to-cloud functionality. This feature is available only to LRCloud customers.

Prerequisites

Before configuring collection from O365, do the following:

  • Make sure that the customer is an LRCloud customer and has their environment hosted.
  • Ensure that you have a valid AWS Access Key and Secret Access Key.

Initialize the Logs Source

  1. Log in to the Web Console as a Restricted Administrator User.
  2. On the top navigation bar, click the Administration icon
    and select Cloud Log Collection.
  3. At the top of the Cloud Log Collection page, click New Log Source.
    The New cloud log collection dialog box appears.
  4. Select the AWS CloudTrail Events SYSMON AGENT tile.
    The Add AWS CloudTrail Events Log Source window appears.

  5. Enter the following details:

    Setting

    Description

    NameEnter the name for this log source.
    Description (Optional)Enter a description for this log source.
    Region

    Enter the endpoint region code for the specific AWS CloudTrail S3 bucket (for example, us-east-1). For more information, see CloudTrail Regions and Endpoints.

    Access Key ID

    Enter the AWS Access Key ID (for example, AKIAIOSFODNN7EXAMPLE).

    Secret Access Key

    Enter the AWS Secret Access Key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

  6. Click Save.

Once saved, the log source is auto-configured and will be available on the Log Sources tab in the Client Console. Collection should start automatically in few minutes. 

The Platform Manager hosts all the log sources. It is recommended to create a new host entity and move the log source to the new host.

For security, the values entered are encrypted using LRCrypt.

Default Configuration Values for AWS CloudTrail Events Log Source

Setting

Default Value

APIPollingIntervalInMs

5000

APIRetryCount

3

MaxResultCount

50

StartupDelayInSeconds

30 seconds
NumberOfBackDaysData1 day
NumberOfBackMinutesData40 minutes
BackOffTime15 minutes
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close