In this previous blog, We have implemented a strategy to Track API usage and User activity across AWS resources using Cloudtrail , Check here
In this guide , We will see how to monitor Cloudtrail log events by sending the Cloudtrail Logs to Cloudwatch.
What is Cloudtrail?
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
What is Cloudwatch?
Amazon CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources.
With CloudWatch, you can collect and access all your performance and operational data in form of logs and metrics from a single platform.
Cloudwatch components are described below.
LOG EVENTS :
A log event is a record of some activity recorded by the application or resource being monitored.
LOG GROUPS :
Log groups define groups of log streams that share the same retention, monitoring, and access control settings.
Each log stream has to belong to one log group.
For example, If you have a separate log stream for the nginx access logs from each host, you could group those log streams into a single log group called NginxLG/nginx/nginx.log.
LOG STREAMS :
A log stream is a sequence of log events that share the same source.
It is generally intended to represent the sequence of events coming from the application instance or resource being monitored.
For example, a log stream may be associated with an Apache access log on a specific host.
Monitoring Cloudtrail Logs with Cloudwatch Logs
We can configure Cloudtrail to monitor activities such as ConsoleLogin and then we can log such events in Cloudwatch Logs and get notified.
Cloudtrail sends only the log events that match trail settings to Cloudwatch Logs.
For example , If you have configure cloudtrail to log only data events , Then only those logs will be sent to cloudwatch log group.
We can create an IAM Role directly while configuring logging in the Cloudtrail console.
Configure Logging to Cloudwatch
Login to Cloudtrail Console , Choose trails in the navigation pane.
Select the trail for which you wish to setup cloudwatch logging.
Under Cloudwatch Logs , Click Configure
We will be asked to provide the name of the Log group which we created earlier.
Provide the log group name and click Continue
It will take us to the IAM Console.
Click View Details , If we have an IAM Role already created , We can use this , But If not.
For IAM Role , Choose Create a new IAM Role
For Role Name , Enter the name for the Role and then click Allow
The Role summary should be Successful.
But You might face an policy issue as shown below.We can fix this.
To fix this , Click Continue
Choose the IAM Role (It will automatically detect the correct IAM Role) and Policy Name , Choose the policy and then click Allow
We have successfully implemented cloudtrail logging to cloudwatch logs.
To check the cloudtrail logs , Go to Cloudwatch console , Click the Log group and we can find the lists of log streams holding the log events sent by the cloudtrail.
Stop Sending Cloudtrail Logs to Cloudwatch
To remove the log delivery from Cloudtrail to cloudwatch log group.
Login to Cloudtrail Console , Choose Trails in the navigation pane.
Click the trail for which cloudwatch logging was enabled.
In Cloudwatch Logs , You will find the delete icon.
Click Continue to delete the log delivery.
We have successfully deleted the Cloudtrail log delivery to cloudwatch log group.
Conclusion
We have successfully implemented a Logging strategy for the Cloudtrail to store all the log events the Cloudwatch log group.
With the help of the logs in the CLoudwatch log streams , We can setup monitoring for any events such as AWS console Login , So we will be notified immediately when such activity occurs