Parse AWS CloudTrail and CloudWatch Logs in Logstash

A_P · November 19, 2019, 4:26am

By default, CloudTrail logs are aggregated per region and then redirected to an S3 bucket (compressed JSON files). Cloudtrail delivers log files to s3 bucket, approximately every 5 minutes. We can use the Logstash S3 input plugin or, alternatively, download the file and use the Logstash file input plugin. The compressed logs need to be de-compressed and then read -Custom code. (Please correct in case i am wrong)

I was going through the post for Community Beat, and found cloudwatchlogsbeat and cloudtrailbeat. DO they de-compress the CT and CW logs automatically from S3 or we need to write custom code for the same.

Any suggestions if Logstash S3 input plugin is better than these community beats?

kvch · November 19, 2019, 1:21pm

I am not familiar with the existing community Beats. However, Filebeat has a new s3 input: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-s3.html It is not able to parse, but you could use it to collect the logs and send it to a "central" LS or ES to parse those.

Kaiyan_Sheng · November 21, 2019, 10:13pm

We just opened a ticket to track the work for adding cloudtrail fileset in Filebeat: https://github.com/elastic/beats/issues/14657

system · December 19, 2019, 10:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat and AWS Module unable to get CloudTrail logs Beats beats-module , filebeat	2	1416	June 25, 2020
[Filebeat] AWS CloudTrail Processor parses incorrect AWS region from logs Beats filebeat	4	366	September 15, 2022
[Filebeat] Bug with aws-cloudwatch logs using log_group_arn Beats filebeat	1	264	February 9, 2024
Does Filebeat support output to S3? Beats filebeat	2	6701	November 11, 2019
Filebeat for AWS Cloudwatch does not support timestamps with milliseconds Beats filebeat	1	248	April 6, 2023

Parse AWS CloudTrail and CloudWatch Logs in Logstash

Related Topics