All Products
Search

This Product

    Simple Log Service:Import Logs from AWS CloudTrail to Simple Log Service

    Document Center

    Simple Log Service:Import Logs from AWS CloudTrail to Simple Log Service

    Last Updated:Aug 29, 2023

    This topic describes how to import logs from AWS CloudTrail to Simple Log Service.

    Preparations

    Important

    This topic is proprietary information of Alibaba Cloud, and describes the capabilities that are provided by Alibaba Cloud to interact with third-party services. Therefore, the names of third-party companies and services may be referenced in this topic.

    Before you can use the Log Analysis for AWS CloudTrail application to import logs from AWS CloudTrail to Simple Log Service, you must configure the following settings in Amazon Web Services (AWS). This way, Amazon Simple Storage Service (Amazon S3) can send notifications to Amazon Simple Queue Service (Amazon SQS) after AWS CloudTrail writes data to the specified Amazon S3 bucket in your trail.

    1. Create a trail in AWS CloudTrail. For more information, see Creating and updating a trail with the console.

    2. Create a queue in Amazon SQS. For more information, see Create a queue (console).

    3. Enable event notifications for the specified Amazon S3 bucket in the trail that you created in Step 1. For more information, see Amazon S3 Event Notifications.

      Select the queue that you created in Step 2 as the destination when you enable event notifications.

    Note

    If your account is an Identity and Access Management (IAM) user, you must grant the following permissions to the user. For more information, see Create and attach a policy to an IAM user. 

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "s3:GetObject",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

    Procedure

    1. Log on to the Log Service console.

    2. On the Audit & Security tab in the Log Application section, click Log Analysis for AWS CloudTrail.

    3. On the Access Management page, click Add.

    4. In the Create Configuration panel, create a Log Analysis for AWS CloudTrail configuration.

      1. Configure the parameters. The following table describes the parameters.

        Parameter

        Description

        Configuration Name

        The name of the Log Analysis for AWS CloudTrail configuration.

        Project

        The name of the project to which the assets of the Log Analysis for AWS CloudTrail application belong.

        Note

        Only the projects that reside in the following regions are supported: China (Hangzhou), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Chengdu), and China (Shenzhen).

        AWS Account ID

        The ID of your AWS account.

        AWS AccessKey ID

        The AWS access key ID.

        Important

        Make sure that your AWS access key pair has the permissions to access the AWS resources that you want to manage.

        AWS Secret AccessKey

        The AWS secret access key.

        AWS Region

        The region where the Amazon SQS queue resides.

        SQS Queue URL

        The ID of the Amazon SQS queue. For more information, see Amazon SQS queue and message identifiers.

        SQS BatchSize

        The maximum number of messages that can be pulled by Amazon SQS each time. Valid values: 1 to 10. Default value: 10.

        Import Interval

        The scheduling interval at which a data pulling task is executed. Valid values: 1 to 43200. Default value: 3. Unit: minutes.

        Concurrent Tasks

        The number of concurrent tasks that are used to pull data. Valid values: 1 to 20. Default value: 1.

        Note

        If you want to import a large volume of data, we recommend that you set this parameter to a large value.

      2. Click Preview.

        Note

        If the preview fails, you must check the parameter settings based on the error messages. You can go to the next step only if success is displayed for the preview.

      3. Click OK.

    Related operations

    The following table describes the operations that you can perform on the Access Management page.

    Operation

    Description

    View audit logs

    Click View Audit Logs in the Actions column of a configuration. Then, you are redirected to the Logstore in which raw logs are stored. You can view, query, and analyze the raw logs. For more information, see Query and analyze logs.

    View reports

    Click View Reports in the Actions column of a configuration. Then, you are redirected to the dashboard page on which you can view various audit-related dashboards.

    Change the data retention period

    Find the data retention period of a configuration and click the Modify Data Retention Period icon to change the data retention period for the Logstore in which raw logs are stored.

    Modify a configuration

    Click Modify in the Actions column of a configuration. You can modify parameters such as Configuration Name and Project.

    Delete a configuration

    If you no longer use a configuration, click Delete in the Actions column of the configuration.

    Important

    • If you delete a configuration, the data import tasks that are generated for the configuration are deleted. The Logstore that is created for the configuration is retained.

    • Data that is imported to the Logstore is not deleted until the data retention period elapses.

    • After you delete a configuration, it cannot be restored. Proceed with caution.