Manage AWS API logs with CloudTrail and Graylogs

General Process:
  • Cloudtrail will send all API logs to S3 bucket
  • And will notify to SNS topic
  • SNS will send log details to SQS queue
  • Graylog will poll message from SQS and get the logs from that S3 file
  • By default all logs will be sent to “All Messages” stream.
  • Stream can be used to filter out the logs
  • All Messages will be redirected to a Pipeline
  • Pipeline Rule will search for pattern and if pattern matches then will redirect those logs to newly created stream.
Check Graylog single node installer for AWS: https://github.com/neeleshg/aws-graylog-installer.git
 Steps:
– Create SNS Topic
– Create SQS and subscribe to that SNS topic
– Enable CloudTrail Logs and use the SNS topic
– Install aws plugin for graylog.
  • Download jar file from HERE
  • Copy it in plugin_dir which is normally: /usr/share/graylog-server/plugin
  • Restart graylog server
– Create IAM User and attach below Policies to that user:
   This user will be configured in graylog-aws plugin. Which will have access to SQS and S3 bucket.
   – Graylog-S3 Policy:
{
       "Version": "2012-10-17",
       "Statement": [
          {
                "Sid": "Stmt1411854479000",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject"
                ],
               "Resource": [
                    "arn:aws:s3:::<BUCKET_NAME>/*"
                ]
          }
     ]
}

   – Graylog-SQS Policy:
{
       "Version": "2012-10-17",
       "Statement": [
            {
               "Sid": "Stmt1411834838000",
                "Effect": "Allow",
                "Action": [
                       "sqs:DeleteMessage",
                       "sqs:ReceiveMessage"
                ],
                "Resource": [
                    "<ARN of SQS Queue>"
                ]
          }
       ]
}
Copy Access and Secret Keys of that user
– Configure Graylog plugin use above access and secret keys in it.
   Go to System –> Configurations –> AWS Plugin Configuration –> Configure
– Create Stream for ec2 specific logs
   Go to Streams –> Create Stream –> Enter Title and Description
    Note the stream Name and ID.
    To get stream ID, Just right click on Name of Stream and click “Copy Link Address”. Paste it somewhere. You will get id in it.
    For eg. If URL is http://<graylog_ip>/streams/xxxyyyyz3ggg6666iiuop/search then Stream ID is “xxxyyyyz3ggg6666iiuop”
– Create & Configure Pipeline
     – First need to create rule.
       Go to System –> Pipelines –> Click “Manage Rules” –> Click “Create Rule”
       Provide description of rule and define actual rule in “Rule Source”.
       For eg. in our condition, rule will be similar like:
rule "filter ec2"
when
     has_field("event_source") &amp;&amp; to_string($message.event_source)=="ec2.amazonaws.com"
then
     route_to_stream("Stream_Name","Stream ID")
end
  • Click “Manage Pipelines” –> “Add new pipeline”
  • Provide Title and Description of Pipeline and click “Save”
  • Click “Edit Connections” and Select Stream “All messages” as Input connection to this pipeline.
  • Click Edit of Stage 0
  • Select created Rule in “Stage Rules” dropbox and click Save.
Now you will see all messages from ec2.amazonaws.com in newly created stream

Neelesh Gurjar has written 122 articles

One thought on “Manage AWS API logs with CloudTrail and Graylogs

  1. Navdeep says:

    Hi Neelesh,

    Thanks for the write up. I don’t understand what is the need for SNS & SQS. Can’t graylog read the logs directly from S3 bucket?

Leave a Reply