For customers that run their infrastructure on AWS cloud and would like to ingest logs from various services into NetWitness for security and compliance, we have developed Amazon CloudWatch Plugin and S3 Universal Connector. For customers on NetWitness platform 11.5 or later these universal plugins alleviate the problem of managing multiple connectors, one for each service, faced by our customers.
Depending upon where in AWS the logs are being stored, customers can use either of Amazon CloudWatch or S3 Universal Connector to ingest logs into NetWitness. Both these plugins use same parsers to parse the logs and hence no difference is seen in meta selection.
Log types currently supported by amazoncloudwatch plugin and required parser are as shown. In addition to the below log types customers can collect any other log type and route them to a custom parser or get in touch with RSA customer service to add official support.
| Log Type | Parser |
| Cloudtrail |
aws_cloudtrail |
|
VPC Flow Logs |
aws |
|
Route 53 |
aws, aws_route53resolver |
|
AWS Active Directory Logs |
aws_windows |
|
Windows Logs |
aws_windows |
Similarly s3universal connector supported log types and the required parsers is as shown below. NetWitness will continue to add support for more AWS services based on customer request.
| Log Type | Parser |
| Cloudtrail |
aws_cloudtrail |
|
VPC Flow Logs |
aws |
| AWS WAF Logs | aws_waf |
| CiscoUmbrella (iplogs, dnslogs and proxylogs) |
cisco_umbrella |
| AWS Active Directory Logs |
aws_windows |
| Windows Logs | aws_windows |
Amazon AWS cloudtrail and vpc flow logs plugins will be deprecated and it is recommended that customers start using either amazon cloudwatch or s3 universal connector instead.
Additional Resources:
