AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

Adding CloudTrail Tags and Alerts

Tags and alerts to help you track important CloudTrail events can be easily added to your CloudTrail log. 
Tags related to the following important events can be imported via our tag import script:

  • Starting, stopping, terminating, rebooting instances
  • Creating or deleting security groups
  • Creating and deleting users
  • Updating user profiles
  • Adding and removing groups
  • Updating role and password policies
  • Signing certificate upload or deletion

To add these to your Cloudtrail log you can use our tag import script with the following input file (cloudtrail-tags.txt). The input file contains tags for the events listed above. To import the tags run the following command:

pip install modules
python ACCOUNT_KEY import cloudtrail-tags.txt

They will be imported into your Logentries account and will be available from your Tags and Alerts page. Simply add them to your CloudTrail log. 
If you would like to get notified when these events occur, you can also configure alerting for any of these Tags.

Adding CloudTrail information to your Dashboards

To add CloudTrail information to your system Dashboard, perform the following steps.  First, setup CloudTrail integration as described below and then navigate to the AWS/CloudTrail and CloudWatch (Opstream) log.  Add the following saved searches to the CloudTrail log:
Cloud Watch
CPU Average: CPUUtilization AND average>0
CPU AVG Visualized: CPUUtilization AND average>0 | AVERAGE
Total NetworkIn: NetworkIn AND average>0 | SUM
NetworkIn Average: NetworkIn AND average>0 | AVERAGE
NetworkOut Average: NetworkOut AND average>0 | AVERAGE

What User Type Rebooted:
 eventName=RebootInstances | GroupBy(type) | Count
Who Rebooted: eventName=RebootInstances | GroupBy(userName) | Count
Events by Root: type=Root | GroupBy(eventName) | Count
Events by IAM User: type=IAMUser | GroupBy(eventName) | Count 
Events by IAM User No Description: type=IAMUser NOT /Describe | GroupBy(eventName) | Count 
Total Events by IAM User: type=IAMUser | GroupBy(userName) | Count 
Source IP Addresses: type=IAMUser | GroupBy(sourceIPAddress) | Count 

Once adding these searches, go to Insights/Dashboards at the top of your Logentries UI page.  Click the add Widget Button at the top of the page.   The following three screenshots walk you through creating a widget inside of the dashboard.

After adding the saved searches to your Dashboard, you will have a dashboard similar to the below screenshot.

Steps to getting CloudTrail working with Logentries

1.  Enable CloudTrail
Login into your AWS account and enable CloudTrail if you haven’t already.  When enabling CloudTrail, please be sure to create a SNS Topic.

2.  Create a SQS Queue
Click on SQS in your AWS Console and create a new queue.

3.  Add Permissions to the SQS Queue
When adding permissions to the SQS queue, you need to add your full account number/name.   In the IAM area, select the user that you want to utilize and click Summary.  When the user is created within the IAM section, make sure that the user has at least Read-Only access – so that the object may read the bucket.  The string you need is formatted as shown below and available under User ARN and looks similar to this:
Receive, Send, and Delete permissions must be applied (see below):

4.  Subscribe the queue to the SNS Topic created in step 1 above.
The queue must now be subscribed to the SNS Topic created when you enabled CloudTrail.  You can do this by selecting the queue created in Step 2 and using the Queue Action drop down menu, and then selecting Subscribe Queue to SNS Topic.   See below:

5.  Repeat this process for multiple CloudTrail setups for different regions.
When enabling CloudTrail in multiple regions, the process is similar. Publish CloudTrail to the same bucket created in step 1 above. Then subscribe to the SNS topic from the SQS queue. Be sure to turn off “Global Services” in subsequent CloudTrail enablements.

6.  Obtain the Queue URL
Obtain the queue URL for Logentries configuration and maintain it for safe keeping.   The queue URL is available by clicking on the SQS Queue name and copying the URL from the Details at the bottom.

Configuring the Logentries platform to follow your CloudTrail

To follow your CloudTrail information, login to your Logentries account and go into your Account Settings.   From here, click on AWS and you’ll be presented with the following screen:

Access Key:  This is the access key of the IAM user that you created for AWS Integration with Logentries.
Secret Key: The secret key of the IAM user that you created for AWS Integration.
Enable Cloudwatch:  Click here to enable Cloudwatch.   Detailed information can be obtained on our Cloudwatch documentation page.
Enable Cloudtrail: Click here to enable CloudTrail.
Cloudtrail SQS URL: This is the URL that was copied in step 5 above.

Please note that the CloudTrail information will be brought into your Logentries account every 5 minutes.   This integration will create a new host container called AWS and a new log called Cloudtrail.

Back to Top