Skip to main content
Skip table of contents

Log Management - Requirements

AWS

Log index

Instruction

log-aws-apigateway

Ensure that permissions logs:DescribeLogGroups, logs:DescribeLogStreams and logs:GetLogEvents are granted to Cloudaware. Logs from CloudWatch groups will be discovered automatically.

Cloudaware supports the tag-based discovery for CloudWatch groups. Ensure that the permission logs:ListTagsForResource is granted and the tag log-source:apigateway is present.

log-aws-cloudfront-*

Enable logging as described in this external guide.

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

log-aws-cloudtrail-*

Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware).

log-aws-config-*

Enable AWS Config as described in AWS Documentation.

Ensure that Cloudaware has been granted with the permission config:Des* (or config:DescribeDeliveryChannels as minimum).

log-aws-ec2-*

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

log-aws-eks-*

Ensure Amazon EKS is enabled as described in AWS Documentation.

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents.

log-aws-elb-*

Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

log-aws-health-*

Ensure that permissions health:DescribeEvents, health:DescribeAffectedEntities and health:DescribeEventDetails are granted to Cloudaware.

log-aws-guardduty-*

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

If logs are not discovered automatically, apply the tag log-source:guardduty on the bucket to fix it.

log-aws-rds-*

Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:

  • for logs from CloudWatch: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

  • for logs from DB instance: rds:DescribeDBInstances, rds:DescribeDBLogFiles, rds:DownloadCompleteDBLogFile, rds:DownloadDBLogFilePortion

*These permissions are predefined in Cloudaware Conflux Collector policy.

log-aws-lambda-*

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:ListTagsForResource and logs:GetLogEvents.
Cloudaware automatically discovers CloudWatch groups where Lambda logs are stored. If the search didn't bring results, tag the group(s) with log-source: lambda tag.

log-aws-r53resolver-*

Ensure that logging for DNS Queries is enabled as described in AWS Documentation.

log-aws-trustedadvisor-*

Ensure that permissions support:DescribeTrustedAdvisorChecks and support:DescribeTrustedAdvisorCheckResult are granted to Cloudaware.

log-aws-s3accesslog-*

Ensure that logging for S3 is enabled as described in AWS Documentation.

log-aws-vpcflowlogs-*

Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation.

log-aws-waf-*

Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket (kinesis:DescribeStream and kinesis:ListStreams permissions should be in place, along with s3:ListBucket and s3:GetObject or logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents depending on the log destination).

* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list* and get* permissions:

CODE 
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

WHERE

<KEY_PLACEHOLDER> must be replaced by a relevant encryption key

<BUCKET_ID> must be replaced by a relevant bucket ID

<REGION> must be replaced by a relevant bucket region

Azure

Log index

Instruction

log-azure-activity-*

Ensure that the Reader role has been assigned to Cloudaware based on Azure Start Guide.

log-azure-flowlogs-*

Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys (Microsoft.Storage/storageAccounts/listKeys/action permission).

Google Cloud

Log index

Instruction

log-gcp-audit-*

Ensure that Cloud logging is enabled as described in Google Cloud Documentation.

Host level logs

Log index

Instruction

metricbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metriсbeat may generate a significant number of logs

winlogbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs

filebeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs

packetbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs

* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware

Other logs

Cloudflare

Log index

Instruction

log-cloudflare-

Ensure that the API token has the following read permissions configured at the account level in Cloudflare:

Access: Audit Logs
Account Settings

GitLab Audit

Log index

Instruction

log-gitlab-

stream: Contact Cloudaware to request a Destination URL for event stream creation in GitLab account. Learn more

AWS S3 bucket: Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions). Ensure that the taglog-source => gitlab is used on the bucket.

Okta

Log index

Instruction

log-okta-system-

Provide the Cloudaware support with Okta URL and a token.

OneLogin

Log index

Instruction

log-onelogin-

Contact Cloudaware to request a Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:

CODE 
Listener URL: https://COMPANYNAME-conflux.cloudaware.com:XXXX
Custom Headers:
    conflux: Xxx1xxxx0xxxxxXXxX
Format:  JSON Array

WHERE <COMPANYNAME> must be replaced by your organization name

Syslog

Log index

Instruction

log-syslog-*

Contact Cloudaware to request a syslog server URL. Set up the logs stream to the following destination:
Host: COMPANYNAME-syslog-conflux.cloudaware.com
Port: 514
Protocol: TCP

WHERE <COMPANYNAME> must be replaced by your organization name

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close