Brief: We do have multiple AWS accounts and we would prefer to ingest cloudtrail logs from all our accounts via Filebeat's AWS Module. (filebeat from same/single server & single agent)
ELK-Stack: 7.8.0
Filebeat: 7.8.0
OS: AmazonLinux-2
From the above config snippet I don't see a way to configure multiple accounts, I would request a help on how to ingest/configure cloudtrail logs from multiple aws accounts via filebeat.
Hello! Thanks for posting your question here. For running Filebeat with multiple AWS accounts, you can just duplicate this config section with different sets of credentials. For example:
@Kaiyan_Sheng Thanks for the reply and it was really helpful
I just an adjoining question:
Here in the below filebeat config, I'm using cloudtrail file-set module and since I'm specifically using 'cloudtrail' module do I still need to supply sqs path?
Here, I'll passing the aws keys but along these should I pass/add SQS queue URL?
Can't the 'Cloudtrail module' pull the Cloudtrail Logs directly without using SQS?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.