{"id":3012,"date":"2019-08-31T11:18:01","date_gmt":"2019-08-31T11:18:01","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=3012"},"modified":"2020-05-01T11:09:39","modified_gmt":"2020-05-01T11:09:39","slug":"cloudtrail-logs-2","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/","title":{"rendered":"CloudTrail Logs"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Monitor existing system, application and custom logs in real time.<\/li><li>Send existing logs to CloudWatch; Create patterns to look for in logs; Alert based on finding of these patterns.<\/li><li>Free agents for Ubuntu, Amazon Linux, Windows.<\/li><li>Purpose\n<ul>\n<li>Monitor logs from EC2 instances in realtime. (track number of errors in application logs and send notification if exceed thresold)<\/li>\n<\/ul>\n<ul>\n<li>Monitor AWS CloudTrail logged events (API Activity such as manual EC2 instance termination)<\/li>\n<\/ul>\n<ul>\n<li>Archive log data (change log retention setting to automatically delete)<\/li>\n<\/ul>\n<\/li><li>Log events &#8211; record stored to CloudWatch Logs with the Timestamp and Message to store.<\/li><li>Log Streams \u2013 Refers to the log events sequence sharing same resource (like for Apache access logs, they are automatically deleted after every 2 months).<\/li><li>Log Groups \u2013 Refer to log stream group sharing same settings for\n<ul>\n<li>Retention<\/li>\n<\/ul>\n<ul>\n<li>monitoring<\/li>\n<\/ul>\n<ul>\n<li>access control<\/li>\n<\/ul>\n<\/li><li>CMetric Filters &#8211; define how a service would extract metric observations from events and turn them into data points for a CloudWatch metric.<\/li><li>Retention Settings \u2013 Settings for duration to keep events. Automatic deletion of expired logs.<\/li><li>The duration offered for Log Group Retention ranges from 1 day to 10 years.<\/li><li>CloudWatch Log Filters: filter log data pushed to CloudWatch; won&#8217;t work on existing log data, only work after log filter created, only returns<\/li><li>first 50 results. Metric contains 1. Filter Pattern 2. Metric Name 3. Metric NameSpace 4. Metric value<\/li><li>Modify rsyslog (\/etc\/rsyslog.d\/50-default.conf) and remove auth on line number 9, sudo service rsyslog restart<\/li><li>Real-Time Log processing: It needs subscription Filters and applicable for AWS Kinesis Streams, AWS Lambda and AWS Kinesis Firehouse<\/li><li>aws kinesis command is used for creation\/ describing stream. Command can also list the stream ARN. Them update the permissions.json file with ARN\u2019s of the stream and role.<\/li><\/ul>\n\n\n\n<p>Advanced tasks with CloudTrail log files<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create multiple trails per region.<\/li><li>CloudWatch Logs are used to monitor CloudTrail log files<\/li><li>Share log files between accounts.<\/li><li>Log processing applications can be developed in Java by using CloudTrail Processing Library.<\/li><li>Validate log files to verify that they have not changed after delivery by CloudTrail.<\/li><\/ul>\n\n\n\n<p>To receive CloudTrail log files from multiple regions<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Sign in to the AWS Management Console and open the CloudTrail console at https:\/\/console.aws.amazon.com\/cloudtrail\/.<\/li><li>Choose the option \u2013 \u201cTrails\u201d, and then select a trail name.<\/li><li>Next, click on pencil icon adjacent to \u201cApply trail to all regions\u201d, and then select \u201cYes\u201d.<\/li><li>Choose Save. The original trail will be replicated across all AWS regions. CloudTrail will deliver log files present in all regions to S3 bucket.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"323\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-135.png\" alt=\"\" class=\"wp-image-3703\"\/><\/figure>\n\n\n\n<p><strong>Validating CloudTrail Log File Integrity<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Use CloudTrail log file integrity validation.<\/li><li>The feature using SHA-256 for hashing and SHA-256 with RSA for digital signing.<\/li><li>Thus making CloudTrail log files without detection, computationally infeasible to\n<ul>\n<li>Modify<\/li>\n<\/ul>\n<ul>\n<li>delete<\/li>\n<\/ul>\n<ul>\n<li>forge<\/li>\n<\/ul>\n<\/li><li>Use CLI to validate files<\/li><li>With log file integrity validation, CloudTrail creates hash for every log file<\/li><li>Every hour, CloudTrail also creates a file (called a digest file) that references log files for last hour and has hash of each.<\/li><li>Each digest file is signed using private key of a public and private key pair.<\/li><li>After delivery, use public key to validate the digest file.<\/li><li>Every AWS region&nbsp; has different key pairs in CloudTrail.<\/li><li>The digest files are delivered to S3 bucket associated with trail as CloudTrail log files.<\/li><li>The digest files are put into a folder separate from the log files.<\/li><li>Every digest file has digital signature of previous digest file if present.<\/li><li>The signature for current digest file is in the metadata properties of digest file S3 object.<\/li><\/ul>\n\n\n\n<p>Sharing CloudTrail Log Files Between AWS Accounts<\/p>\n\n\n\n<p>The steps are<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>To share log file with an account, create IAM role for it.<\/li><li>For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.<\/li><li>IAM user can take the required&nbsp; role to retrieve log files, programmatically.<\/li><\/ul>\n\n\n\n<p><strong>CloudTrail Processing Library<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A Java library to process AWS CloudTrail logs<\/li><li>Details about CloudTrail SQS queue and code to process events, is to be provided<\/li><li>CloudTrail Processing Library will\n<ul>\n<li>polls SQS queue<\/li>\n<\/ul>\n<ul>\n<li>reads and parses queue messages<\/li>\n<\/ul>\n<ul>\n<li>downloads CloudTrail log files<\/li>\n<\/ul>\n<ul>\n<li>parses events in the log files<\/li>\n<\/ul>\n<ul>\n<li>passes events to code as Java objects.<\/li>\n<\/ul>\n<\/li><li>It is scalable and fault-tolerant.<\/li><li>Handles parallel processing of log files<\/li><li>Manages network failures like network timeouts or inaccessible resources.<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Monitor existing system, application and custom logs in real time. Send existing logs to CloudWatch; Create patterns to look for in logs; Alert based on finding of these patterns. Free agents for Ubuntu, Amazon Linux, Windows. Purpose Monitor logs from EC2 instances in realtime. (track number of errors in application logs and send notification if&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":2474,"menu_order":17,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[7,407],"class_list":["post-3012","page","type-page","status-publish","hentry","category-amazon-aws","tag-aws","tag-cloudtrail-logs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CloudTrail Logs - TestPrep<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CloudTrail Logs - TestPrep\" \/>\n<meta property=\"og:description\" content=\"Monitor existing system, application and custom logs in real time. Send existing logs to CloudWatch; Create patterns to look for in logs; Alert based on finding of these patterns. Free agents for Ubuntu, Amazon Linux, Windows. Purpose Monitor logs from EC2 instances in realtime. (track number of errors in application logs and send notification if...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-01T11:09:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-135.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/\",\"name\":\"CloudTrail Logs - TestPrep\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2019-08-31T11:18:01+00:00\",\"dateModified\":\"2020-05-01T11:09:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS Certified Security Specialty\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CloudTrail Logs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CloudTrail Logs - TestPrep","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/","og_locale":"en_US","og_type":"article","og_title":"CloudTrail Logs - TestPrep","og_description":"Monitor existing system, application and custom logs in real time. Send existing logs to CloudWatch; Create patterns to look for in logs; Alert based on finding of these patterns. Free agents for Ubuntu, Amazon Linux, Windows. Purpose Monitor logs from EC2 instances in realtime. (track number of errors in application logs and send notification if...","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2020-05-01T11:09:39+00:00","og_image":[{"url":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-135.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/","name":"CloudTrail Logs - TestPrep","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2019-08-31T11:18:01+00:00","dateModified":"2020-05-01T11:09:39+00:00","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail-logs-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"AWS Certified Security Specialty","item":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/"},{"@type":"ListItem","position":3,"name":"CloudTrail Logs"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=3012"}],"version-history":[{"count":5,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3012\/revisions"}],"predecessor-version":[{"id":5134,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3012\/revisions\/5134"}],"up":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/2474"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=3012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=3012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=3012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}