Skip to main content

AWS CloudTrail Source

AWS CloudTrail records API calls made to AWS. This includes calls made using the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services. Add an AWS CloudTrail Source to upload these messages to Sumo Logic. The AWS CloudTrail Source automatically parses the logs prior to upload.

info

You need to know where your CloudTrail log files are stored so you can provide the path to the AWS CloudTrail Source. Refer to AWS Documentation for finding your CloudTrail log files.

To configure an AWS CloudTrail Source:

  1. Configure CloudTrail in your AWS account. This will create an S3 bucket for you if you so choose.
  2. Grant Sumo Logic access to an Amazon S3 bucket created or used above.
  3. Confirm that logs are being delivered to the Amazon S3 bucket.
  4. In Sumo Logic select Manage Data > Collection > Collection
  5. Select the hosted Collector for which you want to add the Source, and click Add Source. To create a new hosted collector, see Configure a Hosted Collector.
  6. Click AWS CloudTrail.
  7. Configure the settings as described in AWS Sources.
  8. Optional: Install the Sumo Logic App for AWS CloudTrail.

CloudTrail log objects

CloudTrail log objects are generated by AWS as a single JSON Records array containing a series of event objects. The AWS CloudTrail Source automatically applies boundary and timestamp processing rules to pull the individual event objects from the CloudTrail Records array as separate log messages within Sumo Logic.

The following is an example of an AWS CloudTrail file object:

{"Records":[{"eventVersion":"1.03","userIdentity":{"type":"Root","principalId":"XXXXXXXXXX","arn":
"arn:aws:iam::XXXXXXXXXX:root","accountId":"XXXXXXXXXX","accessKeyId": "XXXXXXXXXXXXXXXX","sessionContext":
{"attributes":{"mfaAuthenticated":"false", "creationDate":"2016-04-01T16:09:43Z"}}}, "eventTime":
"2016-04-01T16:19:26Z","eventSource":"s3.amazonaws.com","eventName":"GetBucketLocation","awsRegion":
"us-west-2","sourceIPAddress":" 192.168.1.1","userAgent":"[S3Console/0.4]","requestParameters":
{"bucketName":"example"},"responseElements":null,"requestID":"DE61373E09329981","eventID":
"d4877d6c-4bf2-4a46-82d5-c8d710905138","eventType":"AwsApiCall","recipientAccountId":"XXXXXXXXXX"},
{"eventVersion": "1.03","userIdentity":"type":"Root","principalId":"XXXXXXXXXX","arn":
"arn:aws:iam::XXXXXXXXXX:root","accountId": "XXXXXXXXXX","accessKeyId":"XXXXXXXXXXXXXXXX","sessionContext":
{"attributes":{"mfaAuthenticated":"false", "creationDate":"2016-04-01T16:09:43Z"}}},"eventTime":
"2016-04-01T16:19:26Z","eventSource":"s3.amazonaws.com", "eventName":"GetBucketLocation","awsRegion":
"us-west-2","sourceIPAddress":" 192.168.1.1","userAgent": "[S3Console/0.4]","requestParameters":
{"bucketName":"example"},"responseElements":null,"requestID": "F1A6B08803D73C5A","eventID":
"2b4d6eea-ecb8-4853-a1d2-f0b6b931d5bf","eventType":"AwsApiCall","recipientAccountId":
"XXXXXXXXXX"}, {"eventVersion":"1.04","userIdentity":"type":"Root","principalId":"XXXXXXXXXX","arn":
"arn:aws:iam::XXXXXXXXXX:root","accountId":"XXXXXXXXXX","accessKeyId":"XXXXXXXXXXXXXXXX","sessionContext":
{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-04-01T16:09:43Z"}}},"eventTime":
"2016-04-01T16:22:11Z","eventSource":"cloudtrail.amazonaws.com","eventName":"DescribeTrails","awsRegion":
"us-west-2","sourceIPAddress":"10.1.1.1","userAgent":"console.amazonaws.com","requestParameters":
{"trailNameList":[]},"responseElements":null,"requestID":"e36e19ff-f825-11e5-9015-0336c0231e57", "eventID":
"9b5a6b39-0415-4c88-b7f1-698161bf028b","eventType":"AwsApiCall","recipientAccountId":
"XXXXXXXXXX"},{"eventVersion": "1.04","userIdentity":"type":"Root","principalId":"XXXXXXXXXX",
"arn":"arn:aws:iam::XXXXXXXXXX:root","accountId": "XXXXXXXXXX","accessKeyId":"XXXXXXXXXXXXXXXX",
"sessionContext":{"attributes":{"mfaAuthenticated":"false", "creationDate":"2016-04-01T16:09:43Z"}}},
"eventTime":"2016-04-01T16:22:34Z","eventSource":"cloudtrail.amazonaws.com", "eventName":"DescribeTrails",
"awsRegion":"us-west-2","sourceIPAddress":"10.1.1.1","userAgent":"console.amazonaws.com", "requestParameters":
{"trailNameList":[]},"responseElements":null,"requestID": "f0c79c48-f825-11e5-933d-65f8283355b7", "eventID":
"2f9837ef-f727-45d7-a217-2974d27cb998","eventType": "AwsApiCall","recipientAccountId":"XXXXXXXXXX"}}

CloudTrail events as seen in Sumo Logic:

coudtrail_events

AWS Sources

See AWS Sources for more information.

Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.