Log Management - Requirements
AWS
Log index | Instruction |
---|---|
alb, elb | Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket ( |
aws-config | Enable AWS Config as described in AWS Documentation Ensure that Cloudaware has been granted with the permission |
cloudfront | Enable logging as described in this external guide Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
cloudtrail | Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware) |
eks-logs | Ensure Amazon EKS is enabled as described in AWS Documentation Ensure that Cloudaware has been granted with permissions |
aws-rds | Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:
*These permissions are predefined in Cloudaware Conflux Collector policy. |
lambda | Ensure that Cloudaware has been granted with permissions |
route53 | Ensure that logging for DNS Queries is enabled as described in AWS Documentation |
s3-access-logs* | Ensure that logging for S3 is enabled as described in AWS Documentation |
vpc-flow-logs | Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation |
waf-logs | Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket ( |
* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list*
and get*
permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
"Effect": "Allow",
"Sid": "AllowAccessToKMSCloudtrailBucket"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
"arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
],
"Effect": "Allow",
"Sid": "AllowAccessToLogsBucket"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
"arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
],
"Effect": "Allow"
}
]
}
WHERE
<KEY_PLACEHOLDER>
should bу replaced by a corresponding encryption key
<BUCKET_ID>
should bу replaced by a corresponding bucket id
<REGION>
should bу replaced by a corresponding bucket region
Azure
Log Index | Instruction |
---|---|
azure-activity | Ensure that the Reader role has been assigned to Cloudaware based on Cloudaware Azure Start Guide |
azure-flowlogs | Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys ( |
Google Cloud
Log index | Instruction |
---|---|
google-audit- | Ensure that Cloud logging is enabled as described in Google Cloud Documentation |
Host Level
Log index | Instruction |
---|---|
metricbeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metribeat may generate a significant number of logs |
winlogbeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs |
filebeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs |
packetbeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs |
* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware
Okta
Log index | Instruction |
---|---|
log-okta-system- | Provide Cloudaware support with your Okta URL and token (you can generate a token using Okta documentation here) |
OneLogin
Log index | Instruction |
---|---|
log-onelogin- | Contact Cloudaware to request the Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example: Listener URL: https://COMPANYNAME-conflux.cloudaware.com:XXXX
Custom Headers:
conflux: Xxx1xxxx0xxxxxXXxX
Format: JSON Array |
Â