Better Monitoring Using AWS CloudTrail

 

AWSCloudTrailApp-Pack Blog Header
If you’re running on AWS, you probably use AWS CloudTrail. AWS CloudTrail logs are important because they provide an audit trail of modifications to and interactions with your AWS-hosted deployments. They provide useful insights for both operational and security-related monitoring. Here’s how the Loggly Application Pack for AWS CloudTrail makes this monitoring easier and more effective.

AWSCloudTrailAppPack 2

Sending your AWS CloudTrail data to Loggly is quick to set up because it leverages our integration with Amazon S3. You give Loggly your S3 bucket name and permission to read from that bucket, and Loggly pulls your log data out in real time. Loggly automatically parses AWS CloudTrail data so that you can see a visual view and event counts in the Loggly Dynamic Field Explorer™.

The Loggly Application Pack for AWS CloudTrail automatically installs a dashboard and several Saved Searches into your Loggly account, giving you answers to the key questions addressed in your AWS CloudTrail logs. The CloudTrail Application Pack dashboard includes the following six widgets:

  1. Top AWS CloudTrail Event Sources in the Last Day

    This chart shows you which of your AWS services have been modified or interacted with by your AWS administrators. Use it to find any unexpected activity.

  2. Top AWS CloudTrail Error Sources in the Last Day

    The error sources chart breaks down the number of errors by service. If a particular service is generating a lot of errors, you’ll want to investigate.

  3. AWS CloudTrail Top Users in the Last Day

    This chart illustrates who is interacting with your services, by username. Unexpected activity levels or unknown usernames can reveal a security breach.

  4. AWS CloudTrail Top Error Messages in the Last Day

    Similar to the error sources chart, it’s helpful to have a visual view of error messages because it guides your troubleshooting efforts.

  5. AWS CloudTrail EC2 Instance Changes Last Day

    This chart creates a timeline view of the number of instances started and stopped over the last day. It can be helpful in establishing a timeline for a problem that occurred.

  6. AWS CloudTrail Failed Logins Last Week

    Visibility into failed logins is an important way to track attempted security breaches. In addition to monitoring this on a dashboard, you can quickly set up alerts that let you know when a failed login has occurred.

Saved Searches Speed Up Your Analysis

Loggly’s Application Packs also create saved searches for many of the analyses we described above, so that you can view the relevant log events without any additional effort. One additional saved search is on new key pairs that were created or imported.

Saved searches are all accessible from the star icon right next to the search button.

AWSCloudTrailAppPack 1

All AWS users should take advantage of the insights that AWS CloudTrail provides. With Loggly, this level of monitoring is simple to set up. If you haven’t tried Loggly yet, now is the time!

Additional Reading

Resource Types Supported by CloudTrail API Activity History (AWS CloudTrail Documentation)


Share Your Thoughts

Top