Request for Filebeat AWS CloudTrail Documentation/Configuration Options for s3prefix, etc

Adam_Krieger · November 26, 2020, 4:49pm

Regarding CloudTrail setup in filebeat for delivery via SQS Message and S3 Object Get:

Current setup only allows read if the CloudTrail is pointed to the root of the S3 bucket.

Could a 'var.s3prefix' option be added to config to allow for more flexibility?
Could this requirement be included in documentation at least?

Options 'var.process_cloudtrail_logs' and 'var.process_insight_logs' are not documented.

Could these be documented?

Getting this set up correctly cost me a few hours of code diving.

For anyone who finds this ticket looking for answers: my working filebeat aws cloudtrail module looks like this:

- module: aws
  cloudtrail:
    enabled: true
    var.queue_url: https://sqs.etc...
    var.process_cloudtrail_logs: true
    var.process_insight_logs: true
    var.max_number_of_messages: 50

And my CloudTrail destination bucket root starts with 'AWSLogs/'. It will not work if you nest 'AWSLogs/' under 'cloudtrail1/' or anything like that.

system · December 24, 2020, 6:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat and AWS Module unable to get CloudTrail logs Beats beats-module , filebeat	2	1416	June 25, 2020
Filebeat AWS Module No found Beats beats-module , filebeat	6	591	August 29, 2021
Filebeat:aws:cloudtrail Beats filebeat	1	409	February 12, 2021
Filebeat AWS Module SQS Queue Configurations Errors Beats filebeat	2	565	April 6, 2021
Filebeat Parsing issue with module aws Beats beats-module , filebeat	10	555	June 4, 2021

Request for Filebeat AWS CloudTrail Documentation/Configuration Options for s3prefix, etc

Related topics