AWS S3 Server Access Events API Collection
Amazon Simple Storage Service (Amazon S3) provides developers and IT teams with secure, durable, and highly scalable cloud storage. The System Monitor Agent can import Amazon S3 events into LogRhythm for analysis. This document explains how to configure the collection of Amazon S3 events using the Web Console's cloud-to-cloud functionality. This feature is available only to LRCloud customers.
Prerequisites
Before configuring collection from AWS, do the following:
- Make sure that the customer is an LRCloud customer and has their environment hosted.
- Ensure that you have a valid AWS Access Key and Secret Access Key.
Initialize the Logs Source
- Log in to the Web Console as a Restricted Administrator User.
- On the top navigation bar, click the Administration icon and select Cloud Log Collection.
- At the top of the Cloud Log Collection page, click New Log Source.
The New cloud log collection dialog box appears. - Select the AWS S3 Server Access SYSMON AGENT tile.
The Add AWS S3 Server Access Event Log Source window appears. Enter the following details:
Setting
Description
Name Enter the name for this log source. Description (Optional) Enter a description for this log source. Region Enter the endpoint region code for the specific AWS CloudTrail S3 bucket (for example, us-east-1). For more information, see CloudTrail Regions and Endpoints.
Access Key ID Enter the AWS Access Key ID (for example, AKIAIOSFODNN7EXAMPLE).
Secret Access Key Enter the AWS Secret Access Key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Bucket Name Enter the name of the bucket where logs are stored. Folder Logs cannot be collected from the root folder of the AWS S3 bucket. Before collection, there should to be a "logs" folder in the target bucket. All the files must be copied into that new folder (for example, 'logs/'). - Click Save.
A new active log source is created and accepted in the Client Console with the provided information. Collection should start automatically in few minutes.
The Platform Manager hosts all the log sources. It is recommended to create a new host entity and move the log source to the new host.
For security, the values entered are encrypted using LRCrypt.
Default Config Values for AWS S3 Server Access Events Log Source
Setting | Default Value |
---|---|
MaxResultCount | 100 |
StartupDelayInSeconds | 30 |