This article covers how to create an Amazon S3 bucket and forward the logs to this bucket. You can also learn to configure a feed in Chronicle.
The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.
To stream audit logs to Amazon's S3 endpoint, you must have a bucket and access keys. Make sure to block public access to the bucket to protect your audit log information.
Creating an Amazon S3 Bucket.
- In the AWS console, select Create new S3 bucket. You may also choose to use an existing S3 bucket.
- Provide a name for the AWS KMS alias or choose an existing AWS KMS Key.
- Leave the other settings as default and click Next.
- Choose Event type, and add Data events as required. Then, click Next.
- Review the settings in Review and create and click Create trail.
- In the AWS console, search for Amazon S3 Buckets.
- Click the newly created log bucket and select the folder AWS Logs. Then click Copy S3 URI and save it for use in the following steps.
Forwarding GitHub logs to the S3 bucket.
- To set up audit log streaming from GitHub you will need:
- The name of your Amazon S3 bucket
- Your AWS access key ID
- Your AWS secret key
2. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprise.
3. In the list of enterprises, click the enterprise you want to view.
4. In the enterprise account sidebar, click Settings.
5. Under Settings, click Audit log.
6. Under Audit log, click Log streaming.
7. Select the Configure stream dropdown and click Amazon S3.
8. Under Authentication, click Access keys.
9. Configure the stream settings.
- Under Bucket, type the name of the bucket you want to stream to. For example, auditlog-streaming-test.
- Under Access Key ID, type your access key ID. For example,
ABCAIOSFODNN7EXAMPLE1
- Under Secret Key, type your secret key. For example,
aBcJalrXUtnWXYZ/A1MDENG/zPxRfiCYEXAMPLEKEY
10. To verify that GitHub can connect and write to the Amazon S3 endpoint, click Check endpoint.
11. After you have successfully verified the endpoint, click Save.
Configuring a feed in Chronicle Instance
To configure a feed in Chronicle,
- From your Chronicle instance page, select Settings from the main menu at the top left of your screen.
2. Click on Feeds where you can find the data feeds you have configured and the default feeds that Google provided.
3. From the Feeds page, click ADD NEW at top of the screen. The ADD FEED window appears.
4. In the Set Properties tab, select SOURCE TYPE from the dropdown menu.
5. Select the Log Type as GitHub from the drop-down menu.
6. Click Next.
7. In the Input Parameters tab, paste the region, S3 URI, Access Key ID & Secret key that you copied from the configuration tab of a storage bucket
8. Click Next.
9. In Finalize tab, click Submit. GitHub Audit logs have been ingested successfully.
Comments
0 comments
Please sign in to leave a comment.