Amazon Web Services (AWS) has become an integral part of many organizations’ IT infrastructure. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.
CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity.
How can I use this data?
When your Splunk deployment is ingesting Amazon CloudTrail data, you can use the data to achieve the following objectives:
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official AWS resources.
Getting AWS CloudTrail data in
Splunk Docs contains extensive guidance on getting data into your Splunk deployment. If your deployment is not already ingesting AWS VPC Flow logs, the following topics can assist you in preparing to work with this data type:
- Splunk Enterprise
- Splunk Cloud
The recommended index is awscloudtrail.
The source type is aws:cloudtrail.
The supported input type is CloudTrail, specifically the API call history from the AWS CloudTrail service.
In addition, you will need the Splunk Add-on for Amazon Web Services. The add-on can be downloaded here and the official documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure AWS, and configure Splunk.
The recommended maximum daily indexing volume for a typical CloudTrail log source type on a clustered indexer is 150 - 200 GB per indexer. Use this as a rough guideline to plan for the number of indexers to deploy in your clustered environment. Adding more indexers to a cluster improves indexing and search retrieval performance. Since this also incurs some additional within-cluster data replication traffic, adjust the number of indexers in your cluster based on your actual system performance.
You can make sure that Splunk has begun ingesting the data from AWS by running Splunk searches. The Splunk add-on for AWS also has a built-in health-overview dashboard that will provide initial troubleshooting information.