This page outlines the requirements for Cloudaware Log Management.
AWS
|
Log index |
Instruction |
|---|---|
|
log-aws-apigateway |
Ensure that permissions Cloudaware supports the tag-based discovery for CloudWatch groups. Ensure that the permission |
|
log-aws-cloudfront-* |
Enable logging as described in this external guide. Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
|
log-aws-cloudtrail-* |
Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware). |
|
log-aws-config-* |
Enable AWS Config as described in AWS Documentation. Ensure that Cloudaware has been granted with the permission |
|
log-aws-ec2-* |
Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
|
log-aws-eks-* |
Ensure Amazon EKS is enabled as described in AWS Documentation. Ensure that Cloudaware has been granted with permissions |
|
log-aws-elb-* |
Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket ( |
|
log-aws-health-* |
Ensure that permissions |
|
log-aws-guardduty-* |
Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( If logs are not discovered automatically, apply the tag |
|
log-aws-rds-* |
Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:
*These permissions are predefined in Cloudaware Conflux Collector policy. |
|
log-aws-lambda-* |
Ensure that Cloudaware has been granted with permissions |
|
log-aws-r53resolver-* |
Ensure that logging for DNS Queries is enabled as described in AWS Documentation. |
|
log-aws-trustedadvisor-* |
Ensure that permissions |
|
log-aws-s3accesslog-* |
Ensure that logging for S3 is enabled as described in AWS Documentation. |
|
log-aws-vpcflowlogs-* |
Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation. |
|
log-aws-waf-* |
Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket ( |
* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list* and get* permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
"Effect": "Allow",
"Sid": "AllowAccessToKMSCloudtrailBucket"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
"arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
],
"Effect": "Allow",
"Sid": "AllowAccessToLogsBucket"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
"arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
],
"Effect": "Allow"
}
]
}
WHERE
<KEY_PLACEHOLDER> must be replaced by a relevant encryption key
<BUCKET_ID> must be replaced by a relevant bucket ID
<REGION> must be replaced by a relevant bucket region
Azure
|
Log index |
Instruction |
|---|---|
|
log-azure-activity-* |
Ensure that the Reader role has been assigned to Cloudaware based on Azure Start Guide. |
|
log-azure-flowlogs-* |
Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys ( |
Google Cloud
|
Log index |
Instruction |
|---|---|
|
log-gcp-audit-* |
Ensure that Cloud logging is enabled as described in Google Cloud Documentation. |
Host level logs
|
Log index |
Instruction |
|---|---|
|
metricbeat |
Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metriсbeat may generate a significant number of logs |
|
winlogbeat |
Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs |
|
filebeat |
Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs |
|
packetbeat |
Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs |
* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware
Other logs
AlienVault OTX
|
Log index |
Instruction |
|---|---|
|
log-otxvault-* |
Ensure that the API token is saved when AlienVault OTX integration is configured in Cloudaware. |
Cloudflare
|
Log index |
Instruction |
|---|---|
|
log-cloudflare- |
Ensure that the API token has the following Access: Audit Logs
|
GitLab Audit
|
Log index |
Instruction |
|---|---|
|
log-gitlab- |
stream: Contact Cloudaware to request a Destination URL for event stream creation in GitLab account. Learn more AWS S3 bucket: Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
Jamf
|
Log index |
Instruction |
|---|---|
|
log-jamf- |
AWS S3 bucket: Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
Okta
|
Log index |
Instruction |
|---|---|
|
log-okta-system- |
Provide the Cloudaware support with Okta URL and a token. |
OneLogin
|
Log index |
Instruction |
|---|---|
|
log-onelogin- |
Contact Cloudaware to request a Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:
WHERE |
Syslog
|
Log index |
Instruction |
|---|---|
|
log-syslog-* |
Contact Cloudaware to request a syslog server URL. Set up the logs stream to the following destination:
WHERE |