How to Send Cloudtrail Logs to Cloudwatch

In this previous blog, We have implemented a strategy to Track API usage and User activity across AWS resources using Cloudtrail , Check here

In this guide , We will see how to monitor Cloudtrail log events by sending the Cloudtrail Logs to Cloudwatch.

What is Cloudtrail?

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.

CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

What is Cloudwatch?

Amazon CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources.

With CloudWatch, you can collect and access all your performance and operational data in form of logs and metrics from a single platform.

Cloudwatch components are described below.

LOG EVENTS :

A log event is a record of some activity recorded by the application or resource being monitored.

LOG GROUPS :

Log groups define groups of log streams that share the same retention, monitoring, and access control settings.

Each log stream has to belong to one log group.

For example, If you have a separate log stream for the nginx access logs from each host, you could group those log streams into a single log group called NginxLG/nginx/nginx.log.

LOG STREAMS :

A log stream is a sequence of log events that share the same source.

It is generally intended to represent the sequence of events coming from the application instance or resource being monitored.

For example, a log stream may be associated with an Apache access log on a specific host.

Monitoring Cloudtrail Logs with Cloudwatch Logs

We can configure Cloudtrail to monitor activities such as ConsoleLogin and then we can log such events in Cloudwatch Logs and get notified.

Cloudtrail sends only the log events that match trail settings to Cloudwatch Logs.

For example , If you have configure cloudtrail to log only data events , Then only those logs will be sent to cloudwatch log group.

PreRequisites

• Existing Cloudtrail or Create new one

• IAM Role with permission to put log events to Cloudwatch log group.

• Create a Log group or Use existing Log group

Creating Cloudwatch Log group

For the cloudtrail to log all the events to cloudwatch , First we need to create an cloudwatch log group.

To create Cloudwatch log group , Login to Cloudwatch Console.

In the Navigation pane , Under Logs , Choose Log groups

Click create log group , Provide a name for the log group and then click Create

The Log group will be used to store all the log events captured by cloudtrail logs.

Creating IAM Role

For the Cloudtrail to send Cloudtrail log events to cloudwatch , The Trail needs a permission to put log events to the Cloudwatch log group.

So we need to create an IAM Role , and the role will be used for the trails to be able to send logs.

Basically , The Role will have permission to CreateLogStream and PutLogEvents.

The sample IAM policy is attached here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Sid": "AWSCloudTrailCreateLogStream20141101",
           "Effect": "Allow",
           "Action": [
           "logs:CreateLogStream"
           ],
           "Resource": [
               "arn:aws:logs:Region:000000000000:log-group:LogGroupname:log-stream:LogStreamName" 
           ]
        },
        { 
           "Sid": "AWSCloudTrailPutLogEvents20141101", 
           "Effect": "Allow", 
           "Action": [ 
              "logs:PutLogEvents"
           ],
           "Resource": [
               "arn:aws:logs:Region:000000000000:log-group:LogGroupname:log-stream:LogStreamName"
           ]
        }
    ]
}

We can create an IAM Role directly while configuring logging in the Cloudtrail console.

Configure Logging to Cloudwatch

Login to Cloudtrail Console , Choose trails in the navigation pane.

Select the trail for which you wish to setup cloudwatch logging.

Under Cloudwatch Logs , Click Configure

We will be asked to provide the name of the Log group which we created earlier.

Provide the log group name and click Continue

It will take us to the IAM Console.

Click View Details , If we have an IAM Role already created , We can use this , But If not.

For IAM Role , Choose Create a new IAM Role

For Role Name , Enter the name for the Role and then click Allow

The Role summary should be Successful.

But You might face an policy issue as shown below.We can fix this.

To fix this , Click Continue

Choose the IAM Role (It will automatically detect the correct IAM Role) and Policy Name , Choose the policy and then click Allow

We have successfully implemented cloudtrail logging to cloudwatch logs.

To check the cloudtrail logs , Go to Cloudwatch console , Click the Log group and we can find the lists of log streams holding the log events sent by the cloudtrail.

Stop Sending Cloudtrail Logs to Cloudwatch

To remove the log delivery from Cloudtrail to cloudwatch log group.

Login to Cloudtrail Console , Choose Trails in the navigation pane.

Click the trail for which cloudwatch logging was enabled.

In Cloudwatch Logs , You will find the delete icon.

Click Continue to delete the log delivery.

We have successfully deleted the Cloudtrail log delivery to cloudwatch log group.

Conclusion

We have successfully implemented a Logging strategy for the Cloudtrail to store all the log events the Cloudwatch log group.

With the help of the logs in the CLoudwatch log streams , We can setup monitoring for any events such as AWS console Login , So we will be notified immediately when such activity occurs

Hope you find it helpful.

Please do check out my other articles.