Hi,
I am trying to ingest cloudtrail logs to logstash to detect a certain event. I have installed logstash-codec-cloudtrail plugin and was able to ingest cloudtrail logs if i point to a specific folder.
Currently i am ingesting it from
s3://cloudtrail/AWSLogs/123456789/CloudTrail/ap-southeast-1/2021/08/04/
Logstash Version: logstash 7.13.4
input {
s3 {
bucket => "com.abc.cloudtrail-nonprod"
delete => false
interval => 60 # seconds
prefix => "AWSLogs/123456789/CloudTrail/ap-southeast-1/2021/08/04/"
type => "cloudtrail"
codec => "cloudtrail"
region => "ap-southeast-1"
}
}
However, I wish to ingest cloudtrail logs from S3 bucket from a region and not specific to a date.
I was trying to do this but i do not know if this is the right way to do it or such feature has not been developed yet (based on my google search)
input {
s3 {
bucket => "com.abc.cloudtrail-nonprod"
delete => false
interval => 60 # seconds
prefix => "AWSLogs/123456789/CloudTrail/ap-southeast-1/*/*/*/"
type => "cloudtrail"
codec => "cloudtrail"
region => "ap-southeast-1"
}
}
My end goal is to be able to read cloudtrail event from now (not the past) and create an audit log to watch who assumed admin role in AWS.