Skip to main content
Skip table of contents

Log Management - Requirements

AWS

Log index

Instruction

log-aws-apigateway

Ensure that permissions logs:DescribeLogGroups, logs:DescribeLogStreams and logs:GetLogEvents are granted to Cloudaware. Logs from CloudWatch groups will be discovered automatically.

Cloudaware supports the tag-based discovery for CloudWatch groups. Ensure that the permission logs:ListTagsForResource is granted and the tag log-source:apigateway is present.

log-aws-cloudfront-*

Enable logging as described in this external guide.

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

log-aws-cloudtrail-*

Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware).

log-aws-config-*

Enable AWS Config as described in AWS Documentation.

Ensure that Cloudaware has been granted with the permission config:Des* (or config:DescribeDeliveryChannels as minimum).

log-aws-ec2-*

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

log-aws-eks-*

Ensure Amazon EKS is enabled as described in AWS Documentation.

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents.

log-aws-elb-*

Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

log-aws-health-*

Ensure that permissions health:DescribeEvents, health:DescribeAffectedEntities and health:DescribeEventDetails are granted to Cloudaware.

log-aws-guardduty-*

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions).

If logs are not discovered automatically, apply the tag log-source:guardduty on the bucket to fix it.

log-aws-rds-*

Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:

  • for logs from CloudWatch: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

  • for logs from DB instance: rds:DescribeDBInstances, rds:DescribeDBLogFiles, rds:DownloadCompleteDBLogFile, rds:DownloadDBLogFilePortion

*These permissions are predefined in Cloudaware Conflux Collector policy.

log-aws-lambda-*

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:ListTagsForResource and logs:GetLogEvents.
Cloudaware automatically discovers CloudWatch groups where Lambda logs are stored. If the search didn't bring results, tag the group(s) with log-source: lambda tag.

log-aws-r53resolver-*

Ensure that logging for DNS Queries is enabled as described in AWS Documentation.

log-aws-trustedadvisor-*

Ensure that permissions support:DescribeTrustedAdvisorChecks and support:DescribeTrustedAdvisorCheckResult are granted to Cloudaware.

log-aws-s3accesslog-*

Ensure that logging for S3 is enabled as described in AWS Documentation.

log-aws-vpcflowlogs-*

Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation.

log-aws-waf-*

Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket (kinesis:DescribeStream and kinesis:ListStreams permissions should be in place, along with s3:ListBucket and s3:GetObject or logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents depending on the log destination).

* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list* and get* permissions:

CODE
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

WHERE

<KEY_PLACEHOLDER> must be replaced by a relevant encryption key

<BUCKET_ID> must be replaced by a relevant bucket ID

<REGION> must be replaced by a relevant bucket region

Azure

Log index

Instruction

log-azure-activity-*

Ensure that the Reader role has been assigned to Cloudaware based on Azure Start Guide.

log-azure-flowlogs-*

Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys (Microsoft.Storage/storageAccounts/listKeys/action permission).

Google Cloud

Log index

Instruction

log-gcp-audit-*

Ensure that Cloud logging is enabled as described in Google Cloud Documentation.

Host level logs

Log index

Instruction

metricbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metriсbeat may generate a significant number of logs

winlogbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs

filebeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs

packetbeat

Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs

* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware

Other logs

GitLab Audit

Log index

Instruction

log-gitlab-

stream: Contact Cloudaware to request a Destination URL for event stream creation in GitLab account. Learn more

AWS S3 bucket: Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions). Ensure that the taglog-source => gitlab is used on the bucket.

Okta

Log index

Instruction

log-okta-system-

Provide the Cloudaware support with Okta URL and a token.

OneLogin

Log index

Instruction

log-onelogin-

Contact Cloudaware to request a Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:

CODE
Listener URL: https://COMPANYNAME-conflux.cloudaware.com:XXXX
Custom Headers:
    conflux: Xxx1xxxx0xxxxxXXxX
Format:  JSON Array

WHERE <COMPANYNAME> must be replaced by your organization name

Syslog

Log index

Instruction

log-syslog-*

Contact Cloudaware to request a syslog server URL. Set up the logs stream to the following destination:
Host: COMPANYNAME-syslog-conflux.cloudaware.com
Port: 514
Protocol: TCP

WHERE <COMPANYNAME> must be replaced by your organization name

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.