This article explains how to configure AWS CloudTrail to store AWS Route 53 DNS logs in an S3 bucket.
Amazon Route 53 provides DNS query logging and the ability to monitor your resources using health checks. In addition, Route 53 integrates with other AWS services to provide additional logging and monitoring.
Route 53 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Route 53. CloudTrail captures all API calls for Route 53 as events, including calls from the Route 53 console and from code calls to the Route 53 APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Route 53.
Ingesting AWS logs into Chronicle
Configure AWS Cloudtrail (or other services)
Complete the following steps to configure AWS Cloudtrail logs and direct these logs to be written to the AWS S3 bucket created in the previous procedure:
- In the AWS console, search for Cloudtrail.
- Click Create trail.
3. Provide a Trail name.
4. Select Create new S3 bucket. You may also choose to use an existing S3 bucket.
5. Provide a name for AWS KMS alias, or choose an existing AWS KMS Key.
6. Leave the other settings as default, and click Next.
7. Choose** Event type**, add Data events as required, and click Next.
8. Review the settings in Review and create and click Create trail.
9. In the AWS console, search for Amazon S3 Buckets.
10. Click the newly created log bucket, and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the following steps.
Configure AWS IAM User
In this step, we will configure an AWS IAM user which Chronicle will use to get log feeds from AWS.
- In the AWS console, search for IAM.
2. Click Users, and then in the following screen, click Add Users.
3. Provide a name for the user, e.g. chronicle-feed-user, Select AWS credential type as Access key - Programmatic access and click Next: Permissions.
4. In the next step, select Attach existing policies directly and select AmazonS3ReadOnlyAccess or AmazonS3FullAccess, as required. AmazonS3FullAccess would be used if Chronicle should clear the S3 buckets after reading logs, to optimize AWS S3 storage costs. Click Next:Tags.
5. As a recommended alternative to the previous step, you can further restrict access to only the specified S3 bucket by creating a custom policy. Click Create policy and follow the AWS documentation to create a custom policy.
6. Add any tags if required, and click Next:Review.
7. Review the configuration and click Create user.
8. Copy the Access key ID and Secret access key of the created user, for use in the next step.
Configure Feed in Chronicle to Ingest AWS Logs
- Go to Chronicle settings, and click Feeds.
- Click Add New.
- Select Amazon S3 for Source Type.
- Select AWS Route 53 DNS (or other AWS service) for Log Type.
5. Click Next.
6. Select region and provide S3 URI of the Amazon S3 bucket you copied earlier. Further you could append the S3 URI with: {{datetime("yyyy/MM/dd")}}
As in the following example, so that Chronicle would scan logs each time only for a particular day:
s3://aws-cloudtrail-logs-XXX-1234567/AWSLogs/1234567890/CloudTrail/us-east-1/{{datetime("yyyy/MM/dd")}}
/
7. Under URI IS A select Directories including subdirectories. Select an appropriate option under Source Deletion Option, this should match with the permissions of the IAM User account we created earlier.
8. Provide Access Key ID and Secret Access Key of the IAM User account we created earlier.
Note: Below are the steps which involves feed addition to chronicle instance by NetEnrich
- S3 URI
- ACCESS KEY ID
- SECRET ACCESS KEY
9. Click Next and Finish.
10. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.