Parse AWS CloudTrail and CloudWatch Logs in Logstash

A_P · November 19, 2019, 4:26am

By default, CloudTrail logs are aggregated per region and then redirected to an S3 bucket (compressed JSON files). Cloudtrail delivers log files to s3 bucket, approximately every 5 minutes. We can use the Logstash S3 input plugin or, alternatively, download the file and use the Logstash file input plugin. The compressed logs need to be de-compressed and then read -Custom code. (Please correct in case i am wrong)

I was going through the post for Community Beat, and found cloudwatchlogsbeat and cloudtrailbeat. DO they de-compress the CT and CW logs automatically from S3 or we need to write custom code for the same.

Any suggestions if Logstash S3 input plugin is better than these community beats?

kvch · November 19, 2019, 1:21pm

I am not familiar with the existing community Beats. However, Filebeat has a new s3 input: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-s3.html It is not able to parse, but you could use it to collect the logs and send it to a "central" LS or ES to parse those.

Kaiyan_Sheng · November 21, 2019, 10:13pm

We just opened a ticket to track the work for adding cloudtrail fileset in Filebeat: https://github.com/elastic/beats/issues/14657

system · December 19, 2019, 10:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Parsing issue with module aws Beats beats-module , filebeat	10	555	June 4, 2021
Filebeat and AWS Module unable to get CloudTrail logs Beats beats-module , filebeat	2	1416	June 25, 2020
AWS Cloudwatch Logs Exported directly by Logstash/Filebeat? Logstash	1	320	June 21, 2019
Can Filebeat read from an S3 bucket Beats filebeat	2	2051	August 7, 2018
How to use Beat with Amazon S3 logs as input? Logstash	1	359	March 18, 2019

Parse AWS CloudTrail and CloudWatch Logs in Logstash

Related topics