Version:

Configuring CloudTrail

Generating Parameters for CloudTrail

To configure CloudTrail in Director Console, you must first obtain access key ID and secret access key from AWS.

Note

While we provide AWS-specific instructions in this guide, it’s important to be aware that the AWS interface may change over time. To ensure you have the most up-to-date information and to navigate any potential changes in the AWS interface, we recommend referring to the official AWS documentation or AWS Support resources.

  1. Go to the AWS login page and enter your credentials.

  2. Click your username and click My Security Credentials in the drop-down.

_images/aws_account.png

AWS Account’s Dropdown Menu

  1. Click Continue to Security Credentials.

_images/security_confirmation.png

Security Credentials Confirmation

  1. Expand Access Keys (Access Key ID and Secret Access Key) and click Create New Access Key.

  2. Select Show Access Key to find the access key ID and secret access Key, or select Download Key File to download a CSV file containing them.

Write down the access key ID and secret access key or download the file containing them, as they can’t be retrieved later. If you close the window without saving them, create new ones.

_images/keys.png

Access and Secret Keys

Configuring CloudTrail from Director Console API

You can configure CloudTrail in a Fabric-enabled Logpoint using the LogSources - Create API.

Endpoint URL:

https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/LogSources

Method:

POST

Parameters:

Field

Label in UI

Type

Description

dc_metadata

-

json

Information related to CloudTrail template created in the Director Console. Optional Field.

description

Description

String

Additional information about CloudTrail. Optional Field.

documentation_link

Documentation Link

String

URL or hyperlink that points to external documentation or reference materials associated to CloudTrail. Optional Field.

logo

Logo

String

Base64 encoded logo image. Optional Field.

name

Name

String

Name of the CloudTrail log source. Mandatory Field.

type

-

String

Type or category of CloudTrail. Mandatory Field.

vendor_name

Vendor Name

String

Name of vendor where the log data originates. Optional Field.

config

-

json

Configuration of CloudTrail. Source, connector, routing, normalization and enrichment must be configured for CloudTrail to fetch logs. Mandatory Field.

Source

In source, you can add details about AWS CloudTrail from where CloudTrail fetches logs.

Parameters:

Field

Label in UI

Type

Description

name

Name

String

Name for the CloudTrail Log Source. Mandatory Field.

interval

Fetch Interval (min)

Integer

The frequency at which logs is retrieved. Mandatory Field.

charset

Charset

String

Existing Logpoint charset. Obtain it using the Charsets - List API. Mandatory Field.

timezone

Time Zone

String

Timezone of the AWS CloudTrail. Mandatory Field.

Connector

In connector, you can configure how CloudTrail and AWS CLoudTrail communicate with each other.

Field

Label in UI

Type

Description

endpoint_url

Endpoint URL

String

EndPoint URL for AWS. If you use Amazon S3’s services, the URL is https://s3.amazonaws.com by default. If you are using a third-party service that stores logs in the Amazon S3 bucket, enter the URL of the service that you are using.

access_key

Access Key ID

String

AWS CloudTrail Access Key ID. Mandatory Field.

secret_key

Secret Key ID

String

AWS CloudTrail Secret Key ID. Mandatory Field.

bucket_name

Bucket Name

String

Name of the bucket from where logs are fetched. Mandatory Field.

region_name

Region

String

Name of the AWS Region. Mandatory Field.

filter_date

Logs From

String

The date from which CloudTrail starts fetching logs. Mandatory Field.

enable_proxy

Proxy Configuration

json

Proxy configuration of CloudTrail server:

status: Parameter to enable or disable the proxy server.

IP: IP of the proxy server.

port: Port of the proxy server.

protocol: “HTTP” or “HTTPS” protocol used by the proxy server.

Optional Field.

Routing

In routing, you can create repos and routing criteria for CloudTrail. Repos are locations where incoming logs are stored and routing criteria are created to determine the conditions under which these logs are sent to repos.

Parameters:

Field

Label in UI

Type

Description

repo_name

Repo name

String

Name of the repo where incoming logs are stored. Mandatory Field.

path

Path

String

Location to store incoming logs. Mandatory Field.

retention

Retention (Days)

String

Number of days logs are kept in a repository before they are automatically deleted. Mandatory Field.

remote_logpoint

Remote logpoint

String

Remote Logpoint where you can replicate the repo as a backup or for high availability. Optional Field.

key and value

Key and Value

String

The key-value pair is used to apply routing criteria to logs. Optional Field.

operation

Operation

String

Operation for logs that have the key-value pair. Optional Field.

repository

Repository

String

Repo to store logs. Optional Field.

Normalization

In normalization, you can select normalizers for the incoming logs. Normalizers transform incoming logs into a standardized format for consistent and efficient analysis.

Parameters:

Field

Label in UI

Type

Description

normalizers

Normalizer

String

Enter the name of the normalizer for the incoming logs. Mandatory Field.

type

Type

String

Type of the normalizer. Mandatory Field.

Enrichment

In enrichment, you can select an enrichment policy for the incoming logs. Enrichment policies are used to add additional information to a log, such as user information, device type or geolocation, before analyzing it.

Parameters:

Field

Label in UI

Type

Description

EnrichmentPolicy

Enrichment Policy

String

Enter the name of the enrichment policy for the incoming logs. Optional Field.

Request Example

   {
 "data": {
   "name": "CloudTrail",
   "type": "S3Fetcher",
   "vendor_name": "AWS",
   "logo": "",
   "description": "Fetches logs from AWS CloudTrail stored in Amazon S3 buckets or third-party services utilizing Amazon S3 storage.",
   "config": {
     "Source": {
       "name": "CloudTrail",
       "interval": 60,
       "charset": "utf_8",
       "timezone": "UTC"
     },
     "Connector": {
       "endpoint_url": "https://s3.amazonaws.com",
       "access_key": "ABICTDEEXFYGKHQITJ5K",
       "secret_key": "ahbaccdTeA9g5giYcr12+1mwD2VgWgwgbgwGDGhg",
       "bucket_name": "bucket",
       "region_name": "af-south-1",
       "filter_date": "2024-08-06T08:44:13.220Z",
       "parser": "CloudTrailLogParser",
       "enable_proxy": false,
       "protocol": "http"
     },
     "RoutingPolicy": { "routing_criterion": [], "catch_all": "_logpoint" },
     "NormalizationPolicy": {
       "normalizers": [
         { "name": "CloudTrailCompiledNormalizer", "type": "compiled" }
       ]
     }
   },
   "documentation_link": "https://docs.logpoint.com/docs/cloud-trail/en/latest/",
   "template_vid": "LOGSOURCE_99",
   "dc_metadata": {
     "template": "f62308c7-d9e6-4f44-bdc5-ed4371b6fe56",
     "templateVersion": "1"
   }
 }
}

Success Response:

{
  "status": "Success",
  "message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
  }

Editing a CloudTrail Configuration

You can edit a CloudTrail configuration in a Fabric-enabled Logpoint using the PluginConfiguration - Edit API.

Endpoint URL:

https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/LogSources/{id}

Method:

PUT

Parameters:

Field

Label in UI

Type

Description

id

String

CloudTrail UUID. Obtain it using the Devices - List API. Mandatory

Request Example:

{
 "data": {
   "name": "UpdatedCloudTrail",
   "type": "S3Fetcher",
   "vendor_name": "AWS",
   "logo": "",
   "description": "Fetches logs from AWS CloudTrail stored in Amazon S3 buckets or third-party services utilizing Amazon S3 storage.",
   "config": {
     "Source": {
       "name": "UpdatedCloudTrail",
       "interval": 60,
       "charset": "utf_8",
       "timezone": "UTC"
     },
     "Connector": {
       "endpoint_url": "https://s3.amazonaws.com",
       "access_key": "ABICTDEEXFYGKHQITJ5K",
       "secret_key": "ahbaccdTeA9g5giYcr12+1mwD2VgWgwgbgwGDGhg",
       "bucket_name": "bucketname",
       "region_name": "ap-south-2",
       "filter_date": "2024-08-06T08:44:13.220Z",
       "parser": "CloudTrailLogParser",
       "enable_proxy": false,
       "protocol": "http"
     },
     "RoutingPolicy": { "routing_criterion": [], "catch_all": "_logpoint" },
     "NormalizationPolicy": {
       "normalizers": [
         { "name": "CloudTrailCompiledNormalizer", "type": "compiled" }
       ]
     }
   },
   "documentation_link": "https://docs.logpoint.com/docs/cloud-trail/en/latest/",
   "id": "LogSources/1247a17f-4d16-4c3f-9002-448752ca8029"
 }
}

Success Response:

 {
   "status": "Success",
   "message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}

Deleting a CloudTrail Configuration

You can delete a CloudTrail configuration in a Fabric-enabled Logpoint using the PluginConfiguration - Trash API.

Endpoint URL:

https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/LogSources/{id}

Method:

Delete

Parameters:

FIELD

LABEL IN UI

TYPE

DESCRIPTION

REQUIRED

id

String

CloudTrail UUID. Obtain it using the Devices - List API.

Mandatory

Success Response:

 {
   "status": "Success",
   "message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support