Note: This plugin will be deprecated soon. Customers using NetWitness Platform version 11.5 or later can use either the Amazon cloudwatch plugin or S3 Universal Connector to capture cloudtrail logs.
To configure AWS CloudTrail, you must complete these tasks:
Configure the AWS CloudTrail event source
Configure the Log Collector for CloudTrail Collection
Configure the AWS CloudTrail Event Source
AWS CloudTrail is a web service that records AWS API calls. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. RSA NetWitness Platform can collect all of this information.
The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.
Note: The Log Collector takes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and RSA NetWitness Platform displays an error message.
If the test is successful, click OK.
The new event source is displayed in the Sources panel.
CloudTrail User Parameters
The following table describes the parameters that you need to enter when you configure CloudTrail event source. Items marked with an asterisk (*) are required; all other parameters are optional.
Name of the event source.
Select the check box to enable the event source configuration to start collection. The check box is selected by default.
Account Identification code of the S3 Bucket.
S3 Bucket Name*
Name of the AWS (CloudTrail) S3 bucket.
Amazon S3 bucket names are globally unique, regardless of the AWS (CloudTrail) region in which you create the bucket. You specify the name at the time you create the bucket.
Bucket names should comply with DNS naming conventions. The rules for DNS-compliant bucket names are:
Bucket names must be at least three and no more than 63 characters long.
Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period “.”. Bucket names can contain lowercase letters, numbers, and hyphens. Each label must start and end with a lowercase letter or a number.
Bucket names must not be formatted as an IP address (for example, 192.168.5.4).
The following examples are valid bucket names:
The following examples are invalid bucket names:
.myawsbucket - Do not start a Bucket Name with a period ".".
myawsbucket. - Do not end a Bucket Name with a period ".".
my..examplebucket - Only use one period between labels.
Key used to access the S3 bucket. Access Keys are used to make secure REST or Query protocol requests to any AWS service API. Please refer to Manage User Credentials on the Amazon Web Services support site for more information on Access Keys
Secret Key *
Secret key used to access the S3 bucket
Region of the S3 bucket: us-east-1 is the default value.
This parameter is required: it is needed to collect CloudTrail logs from AWS Government or Private clouds.
Starts AWS (CloudTrail) collection from the specified number of days in the past, measured from the current timestamp. The default value is 0, which starts from today. The range is 0–89 days.
Log File Prefix
Prefix of the files to be processed.
Note: If you set a prefix when you set up your CloudTrail service, make sure to enter the same prefix in this parameter.
Arbitrary IP address to be sent to the cloudtrail plugin instance. This IP is used only to label all the logs collected via this instance using device.ip meta.
Warning: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.
Enables/disables debug logging for the event source.
Valid values are:
Off = (default) disabled
On = enabled
Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).
Input the Organization ID if it is available. If multiple organization's accounts are collecting logs into the same CloudTrail bucket, then this value is required.
Arguments added to the script.
Interval (amount of time in seconds) between each poll. The default value is 60.
For example, if you specify 60, the collector schedules a polling of the event source every 60 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 60 seconds for the polling to start because the threads are busy.
Select the check box to communicate using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.
The check box is selected by default.
Validates the configuration parameters specified in this dialog are correct. For example, this test validates that:
RSA NetWitness Platform can connect with the S3 Bucket in AWS using the credentials specified in this dialog.
RSA NetWitness Platform can download a log file from the bucket (test connection would fail if there were no log files for the entire bucket, but this would be extremely unlikely).
Troubleshooting the AWS Cloudtrail Event Source
You may already have various AWS policies configured for your organization. This can lead to permission problems arising from a policy document that does not provide the proper permissions to the S3 bucket and the corresponding subfolders.
A symptom of this problem is that users receive "403 authentication failed" or similar errors while attempting to connect to CloudTrail. In this case, users should first make sure that their credentials are correct. If that does not fix the problem, check the policies for both the IAM user involved and for the S3 bucket, since you can also give permissions to a user or group from the S3 bucket policy document.