Home

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Click here to expand

Amazon Web Services (AWS)

To monitor your AWS environment, EventLog Analyzer requires a valid IAM user with necessary permissions. The solution will use the designated IAM user to collect logs from your AWS environment.

Note: EventLog Analyzer supports all AWS regions, except the AWS China (Beijing) region.

Creating a new IAM user in the AWS console

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS.

To create a new IAM user, follow these steps.

Login to the AWS console.
Go to AWS Services → Security, Identity and Compliance → IAM → Add User.
Give an appropriate User name and enable Programmatic access.
Click on Attach existing policies directly.
Click on Create Policy → Create your Own Policy.
Fill in the Policy Name field.
Depending on whether you want to manually or automatically configure CloudTrail, copy and paste the inline policies accordingly.

Auto-configuration: If you want EventLog Analyzer to configure CloudTrail, copy and paste this inline policy in the Policy Document box.
Manual configuration: If you wish to manually configure CloudTrail, copy and paste this inline policy in the Policy Document box.

Click Create Policy.
Create the user and save the Access key and Secret key pair.

Inline Policy for auto configuration

				{
				  "Version": "2012-10-17",
				  "Statement": [
					{
					  "Sid": "Stmt1486278063000",
					  "Effect": "Allow",
					  "Action": [
						"cloudtrail:DescribeTrails",
						"cloudtrail:GetTrailStatus",
						"cloudtrail:GetTrail",
						"cloudtrail:CreateTrail",
						"cloudtrail:DeleteTrail",
						"cloudtrail:StartLogging",
						"cloudtrail:StopLogging",
						"cloudtrail:UpdateTrail"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1486278045000",
					  "Effect": "Allow",
					  "Action": [
						"s3:GetBucketTagging",
						"s3:PutBucketLogging",
						"s3:PutLifecycleConfiguration",
						"s3:GetBucketLogging",
						"s3:PutBucketAcl",
						"s3:PutBucketPolicy",
						"s3:CreateBucket",
						"s3:ListBucket",
						"s3:GetBucketAcl",
						"s3:GetBucketLocation",
						"s3:DeleteBucket",
						"s3:GetBucketPolicy",
						"s3:ListAllMyBuckets",
						"s3:PutObject",
						"s3:GetObjectAcl",
						"s3:GetObject",
						"s3:DeleteObject",
						"s3:GetObjectVersion"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1486278214000",
					  "Effect": "Allow",
					  "Action": [
						"sns:GetEndpointAttributes",
						"sns:GetSubscriptionAttributes",
						"sns:GetTopicAttributes",
						"sns:ListSubscriptions",
						"sns:ListSubscriptionsByTopic",
						"sns:ListTopics",
						"sns:Publish",
						"sns:Unsubscribe",
						"sns:SetTopicAttributes",
						"sns:DeleteTopic",
						"sns:CreateTopic",
						"sns:Subscribe",
						"sns:ConfirmSubscription",
						"sns:SetSubscriptionAttributes",
						"sns:AddPermission"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1486278276000",
					  "Effect": "Allow",
					  "Action": [
						"sqs:DeleteMessage",
						"sqs:GetQueueAttributes",
						"sqs:GetQueueUrl",
						"sqs:ListQueues",
						"sqs:ReceiveMessage",
						"sqs:SendMessage",
						"sqs:CreateQueue",
						"sqs:DeleteQueue",
						"sqs:SetQueueAttributes",
						"sqs:AddPermission",
						"sqs:PurgeQueue"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1490256161000",
					  "Effect": "Allow",
					  "Action": [
						"iam:GenerateCredentialReport",
						"iam:GetAccountAuthorizationDetails",
						"iam:GetCredentialReport"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1490256161001",
					  "Effect": "Allow",
					  "Action": [
						"elasticloadbalancing:*"
					  ],
					  "Resource": [
						"*"
					  ]
					}
				  ]
				}

Inline Policy for manual configuration

 
				{
				  "Version": "2012-10-17",
				  "Statement": [
					{
					  "Sid": "Stmt1486278063000",
					  "Effect": "Allow",
					  "Action": [
						"cloudtrail:DescribeTrails",
						"cloudtrail:GetTrailStatus",
						"cloudtrail:GetTrail"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1486278045000",
					  "Effect": "Allow",
					  "Action": [
						"s3:*"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1486278214000",
					  "Effect": "Allow",
					  "Action": [
						"sns:GetEndpointAttributes",
						"sns:GetPlatformApplicationAttributes",
						"sns:GetSMSAttributes",
						"sns:GetSubscriptionAttributes",
						"sns:GetTopicAttributes",
						"sns:ListEndpointsByPlatformApplication",
						"sns:ListPhoneNumbersOptedOut",
						"sns:ListPlatformApplications",
						"sns:ListSubscriptions",
						"sns:ListSubscriptionsByTopic",
						"sns:ListTopics",
						"sns:Publish"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1486278276000",
					  "Effect": "Allow",
					  "Action": [
						"sqs:DeleteMessage",
						"sqs:GetQueueAttributes",
						"sqs:GetQueueUrl",
						"sqs:ListQueues",
						"sqs:ReceiveMessage",
						"sqs:SendMessage",
						"sqs:PurgeQueue"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1490256161000",
					  "Effect": "Allow",
					  "Action": [
						"iam:GenerateCredentialReport",
						"iam:GetAccountAuthorizationDetails",
						"iam:GetCredentialReport"
					  ],
					  "Resource": [
						"*"
					  ]
					},
					{
					  "Sid": "Stmt1490256161001",
					  "Effect": "Allow",
					  "Action": [
						"elasticloadbalancing:*"
					  ],
					  "Resource": [
						"*"
					  ]
					}
				  ]
				}

The generated access key and secret key pair should be used inside EventLog Analyzer to configure the AWS account.

Enter AWS credentials in EventLog Analyzer

Go to the EventLog Analyzer console.
Click on EventLog Analyzer Account Settings
Click on Add Account
Select the Cloud Type as AWS.
Enter a Display name in the given box.
Enter the Access Key ID and Secret Access Key of the IAM user in the given fields.
Add CloudTrail.
- Auto-configuration: Select the Region. EventLog Analyzer automatically creates and configures CloudTrail. Click Save.
  Note: EventLog Analyzer will create the following resources:
  - S3 bucket: (accountnumber)-cloudtraillogs-(region)
  - SNS topic: cloudtrailtopic
  - SQS queue: cloudtrailqueue
  - CloudTrail: cloudtrail
- Manual configuration: Click Connect an existing CloudTrail and follow the steps given in the Logging setup for AWS CloudTrail.

To setup logging for your AWS environment, refer S3 server access logging and ELB access logging.

Manage Cloud Sources:

Logging setup: Amazon CloudTrail Logs
Logging setup: Amazon S3 server access logs
Logging setup: Amazon ELB access logs
Enable/disable cloud source
Delete a cloud source

Logging setup: Amazon CloudTrail Logs

CloudTrail is an API log monitoring web service offered by AWS. It enables AWS customers to record API calls and sends these log files to Amazon S3 buckets for storage. The service provides details of API activity such as the identity of the API caller, the time of the API call, the source IP address of the API caller, the requests made and response elements returned by the AWS service. In addition, it captures a few non-API events (AWS service events and AWS console sign-in events).

CloudTrail can also be configured to publish a notification for every log file that is delivered, allowing users to take action upon log file delivery.

(I) Enable CloudTrail

Login to the AWS console.
Go to AWS Services → Management Tools → CloudTrail.
Click Add new trail.
Click Advanced and fill in the missing information.

(II) Configure an SNS topic

Create an SNS topic. Select the following options: Apply trail to all regions → Yes Create a new S3 bucket → Yes S3 bucket → Provide a new name Log file prefix → Provide the prefix Encrypt log fies → No Enable log file validation → Yes Send SMS notification for every log file delivery → Yes Create a new SNS topic → Yes New SNS topic → Name the topic Select → Create

(III) Create an SQS queue and subscribe to the SNS topic created in Step II

Go to AWS Services → Messaging → Simple Queue Service (SQS).
Click Create New Queue and fill in the necessary information.
Now, this SQS queue must be subscribed to the SNS Topic created when you enabled CloudTrail. Follow the below given steps.
- Select the SQS queue created.
- From the Queue Action drop down menu, select Subscribe Queue to SNS Topic.

Note: Amazon SNS raw message delivery needs to be disabled.

(IV) Add the created SQS queue as a data source in EventLog Analyzer

Login to the EventLog Analyzer console.
Go to Settings and click on Manage Data Source.
Select CloudTrail from the Data source drop-down menu.
Choose the AWS region, the trail and the SQS queue.
Click Save.

Logging Setup: Amazon S3 server access logs

What is S3 server access logging?

Requests to access S3 bucket can be tracked via access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. This access log information can be useful in identifying the nature of traffic.

Follow the below given steps to add Amazon S3 server access logs as a data source in EventLog Analyzer.

Login to the EventLog Analyzer console.
Go to Settings > Configuration > Manage Cloud Sources and click on Add Data Source.
Select S3 Server Access Logs from the Data source drop-down menu.
Select the S3 Bucket for which you want to enable access logging.
Click Configure..

Logging setup: Amazon ELB access logs

Elastic Load Balancer access logs capture information about requests made to load balancers and can be used to analyze traffic patterns and troubleshoot issues. These logs contain details such as the time the request was received, the client's IP address, latencies, request paths, and server responses.

Follow the below given steps to add Amazon ELB access logs as a data source in EventLog Analyzer

Login to the EventLog Analyzer console.
Go to Settings > Configuration > Manage Cloud Sources and click on Add DataSources.
Select ELB Access Logs from the Data source drop-down menu.
Select the Region and Load Balancer for which you want to enable access logging.
Click Configure.

Note: Currently EventLog Analyzer only supports classic load balancers. Network and application load balancers are not supported.

Enable/disable cloud source

Enabling a cloud source:

To enable a cloud source in EventLog Analyzer,

Click the icon located under the Actions column for the data source you want to enable.
The data source will be enabled.

Disabling a cloud source:

To disable a cloud source in EventLog Analyzer,

Click the icon located under the Actions column for the data source you want to disable.
The data source will be disabled.

Delete a cloud source

To delete a cloud source in EventLog Analyzer,

Click the delete icon located under the Actions column for that particular data source.
The data source will be deleted.

Help Document