The Log Analysis for AWS CloudTrail application collects logs from Amazon Web Services (AWS) CloudTrail to Simple Log Service for storage, querying, analysis, and visualization.
Alibaba Cloud has proprietary rights to the information in this topic. This topic describes the capabilities of Alibaba Cloud to interact with third-party services. The names of third-party companies and services may be referenced.
Feature description
-
Import CloudTrail data with simple configurations. For more information, see Import logs from AWS CloudTrail to Simple Log Service.
-
Offers out-of-the-box dashboards for analyzing and auditing account events. These dashboards are categorized into Global Auditing and Service Auditing. The Global Auditing dashboard displays key metrics such as Event Count, Unauthorized Event Count, Source Service Count, and Source Region Count, along with an Insight Events list, an Event Type Distribution pie chart, and an Event Source Region Distribution pie chart. The left-side navigation pane includes entries for Data Reports (Global Auditing, Service Auditing),
query and analysis, and Access Management. -
Supports custom query and analysis of collected data. Use the
query and analysisfeature to examine raw CloudTrail logs. Log fields includeawsRegion,eventName,eventSource,eventTime,eventType,sourceIPAddress,userAgent, and more.
Workflow
Before you use the Log Analysis for AWS CloudTrail application, create a trail in the AWS CloudTrail console and a queue in the Amazon Simple Queue Service (SQS) console.
Assets
The application creates the following assets in the specified project:
-
Logstore
When you import AWS CloudTrail logs, Simple Log Service automatically creates a Logstore named aws_cloudtrail_**** and enables an index for it.
-
Dashboards
Dashboard
Description
Global Auditing
Overview
Shows an overview of all events recorded by AWS CloudTrail, including event count, source service count, source region count, Insights events, event distribution by type and region, and event trends.
Logon Auditing
Shows sign-in events recorded by AWS CloudTrail, including global sign-in distribution, trends of successful and failed sign-in events, distribution of failed authentication events, and global distribution of failed authentication events.
Service Auditing
S3 Data Event
Shows Amazon Simple Storage Service (S3) data events recorded by AWS CloudTrail, including bucket list, object operation counts (read, write, and delete), and operation trends.
NoteThe dashboard displays data only if the trail that you create in AWS CloudTrail records data events. For more information, see Data events.
IAM Auditing
Shows Identity and Access Management (IAM) events recorded by AWS CloudTrail, including error event count and distribution, and user change event distribution and details.
Network and Security Auditing
Shows network and security events recorded by AWS CloudTrail, including VPC change event distribution and details, and network firewall change event distribution and details.
Billing
-
Collecting logs from AWS CloudTrail to Simple Log Service incurs charges for read traffic on Amazon SQS and Amazon S3. For more information, see AWS pricing.
-
After data is stored in Simple Log Service, you are charged for storage, read traffic, requests, data transformation, and data shipping. These fees are included in your Simple Log Service bills. For more information, see Billable items for pay-by-feature.