Amazon Web Services (AWS) has become an integral part of many organizations’ IT infrastructure. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.
CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity.
When your Splunk deployment is ingesting Amazon CloudTrail data, you can use the data to achieve the following objectives:
- Recommended index: awscloudtrail
- Source type: aws:cloudtrail
- Input type: CloudTrail, specifically the API call history from the AWS CloudTrail service
- Add-on or app: Splunk Add-on for Amazon Web Services
- Sizing estimate: The recommended maximum daily indexing volume for a typical CloudTrail log source type on a clustered indexer is 150 - 200 GB per indexer. Use this as a rough guideline to plan for the number of indexers to deploy in your clustered environment. Adding more indexers to a cluster improves indexing and search retrieval performance. Since this also incurs some additional within-cluster data replication traffic, adjust the number of indexers in your cluster based on your actual system performance.
You can make sure that Splunk has begun ingesting the data from AWS by running Splunk searches. The Splunk add-on for AWS also has a built-in health-overview dashboard that will provide initial troubleshooting information.