Skip to main content

Amazon Web Services: CloudTrail

  • Updated

Amazon Web Services (AWS) has become an integral part of many organizations’ IT infrastructure. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.

Data visibility 

CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity. 

How can I use this data?

When your Splunk deployment is ingesting Amazon CloudTrail data, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official AWS resources.

Getting AWS CloudTrail data in

Splunk Docs contains extensive guidance on getting data into your Splunk deployment. If your deployment is not already ingesting AWS VPC Flow logs, the following topics can assist you in preparing to work with this data type:

The recommended index is awscloudtrail

The source type is aws:cloudtrail

The supported input type is CloudTrail, specifically the API call history from the AWS CloudTrail service. 

In addition, you will need the Splunk Add-on for Amazon Web Services. The add-on can be downloaded here and the official documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure AWS, and configure Splunk.

Sizing estimate

The recommended maximum daily indexing volume for a typical CloudTrail log source type on a clustered indexer is 150 - 200 GB per indexer. Use this as a rough guideline to plan for the number of indexers to deploy in your clustered environment. Adding more indexers to a cluster improves indexing and search retrieval performance. Since this also incurs some additional within-cluster data replication traffic, adjust the number of indexers in your cluster based on your actual system performance.

Validation

You can make sure that Splunk has begun ingesting the data from AWS by running Splunk searches. The Splunk add-on for AWS also has a built-in health-overview dashboard that will provide initial troubleshooting information.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.