Skip to main content
Skip table of contents

Log Management - Requirements

AWS

Log index

Instruction

alb, elb

Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

aws-config

Enable AWS Config as described in AWS Documentation.

Ensure that Cloudaware has been granted with the permission config:Des* (or config:DescribeDeliveryChannels as minimum).

aws-rds

Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:

  • for logs from CloudWatch: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

  • for logs from DB instance: rds:DescribeDBInstances, rds:DescribeDBLogFiles, rds:DownloadCompleteDBLogFile, rds:DownloadDBLogFilePortion

*These permissions are predefined in Cloudaware Conflux Collector policy.

cloudfront

Enable logging as described in this external guide.

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

cloudtrail

Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware).

eks-logs

Ensure Amazon EKS is enabled as described in AWS Documentation.

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents.

lambda

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:ListTagsForResource and logs:GetLogEvents.
Cloudaware automatically discovers CloudWatch groups where Lambda logs are stored. If the search didn't bring results, tag the group(s) with log-source: lambda tag.

log-aws-apigateway

Ensure that permissions logs:DescribeLogGroups, logs:DescribeLogStreams and logs:GetLogEvents are granted to Cloudaware. Logs from CloudWatch groups will be discovered automatically.

Cloudaware supports the tag-based discovery for CloudWatch groups. Ensure that the permission logs:ListTagsForResource is granted and the tag log-source: apigateway is present.

route53

Ensure that logging for DNS Queries is enabled as described in AWS Documentation.

s3-access-logs*

Ensure that logging for S3 is enabled as described in AWS Documentation.

vpc-flow-logs

Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation.

waf-logs

Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket (kinesis:DescribeStream and kinesis:ListStreams permissions should be in place, along with s3:ListBucket and s3:GetObject or logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents depending on the log destination).

* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list* and get* permissions:

CODE
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

WHERE

<KEY_PLACEHOLDER> should bу replaced by a corresponding encryption key

<BUCKET_ID>should bу replaced by a corresponding bucket id

<REGION> should bу replaced by a corresponding bucket region

Azure

Log Index

Instruction

azure-activity

Ensure that the Reader role has been assigned to Cloudaware based on Azure Start Guide.

azure-flowlogs

Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys (Microsoft.Storage/storageAccounts/listKeys/action permission).

Google Cloud

Log index

Instruction

google-audit-

Ensure that Cloud logging is enabled as described in Google Cloud Documentation.

Host level logs

Log index

Instruction

metricbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metribeat may generate a significant number of logs

winlogbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs

filebeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs

packetbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs

* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware

Other logs

GitLab Audit

Log index

Instruction

log-gitlab-

stream: Contact Cloudaware to request a Destination URL for event stream creation in GitLab account. Learn more

AWS S3 bucket: Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions). Ensure that the taglog-source => gitlab is used on the bucket.

Okta

Log index

Instruction

log-okta-system-

Provide the Cloudaware support with Okta URL and a token.

OneLogin

Log index

Instruction

log-onelogin-

Contact Cloudaware to request a Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:

CODE
Listener URL: https://COMPANYNAME-conflux.cloudaware.com:XXXX
Custom Headers:
    conflux: Xxx1xxxx0xxxxxXXxX
Format:  JSON Array

Syslog

Log index

Instruction

log-syslog-*

Contact Cloudaware to request a syslog server URL. Set up the logs stream to the following destination:
Host: COMPANYNAME-syslog-conflux.cloudaware.com
Port: 514
Protocol: TCP

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.