Support

[idokaplan]

Hi,

This project looks great, 10x!
are you still working on this?

Is there a plan to create RPM, ES templates, Kibana queries examples, etc?

Thanks!
Ido

[aidan-]

Thanks for showing interest! This project is still being maintained when I have time, but at the moment it is working as a I require so there hasn't been a lot of development. I am more than happy to add additional features as people request them (including better documentation!), and to accept pull requests if people want to tackle some themselves! 😄

RE: RPM/packages, it looks like there is a newer version of the elastic libbeat library out that includes a bunch of tools to help generate cross platform packages. If there is interest in RPM/debs/etc I will try and get cloudtrailbeat updated to use that newer version. Is there a particular distro/build that you're looking for?

RE: ES index templates/Kibana queries, in the etc folder there is a fields.yml file that should be adequate for generating a proper index using the libbeat generate_index_pattern.py
script. Perhaps the generated json should be included in this repo?

The plan is to add a few Kibana queries and dashboards, but at the moment the one's I have created are very specific to my use case/organisation and rely on a number of things outside the scope of this script. If you have some queries or dashboards you would like to share, I'm more than happy to take pull requests!

[andrewkrug]

What about just providing a docker container?

[idokaplan]

Hi Aidan,

Thank you very much for your follow up, I really appreciate your detailed answer.

1. I'm using yum repo.
   If there will be a package (with service in "/etc/init.d") to install cloudtrailbeat, I believe that you don't need to improve the documentation because it will be much easier to install (don't need to create go environment and to install any pre requirements).
2. Yes, can you please add the generated json to the repo?
   I tried to generate the index using the script, but I didn't manage to do it.
   The index template is very important, because without this, there is a conflict with "cloudtrail.apiVersion", so there are a lot of events that are not seen in Kibana.
3. Can you please share what are the use cases?
   Maybe it will fit also my needs.

Thanks!
Ido

[aidan-]

It's been a while since I've had the opportunity to update this repo, but I've almost finished a whole bunch of changes to bring this beat inline with the new libbeat 5.0. This includes squashing a few bugs and the addition for the ResponseElements and RequestParamaters fields. This is currently available in the libbeat-5.0 branch and will be merged into master shortly.

Unfortunately this includes a few 'breaking' changes to the configuration file, but shouldn't be too difficult to adjust.

To address your questions @idokaplan :

1. rpm/debs shouldn't be far off. The new libbeat makes this a lot easier.
2. Index templates are available in the libbeat-5.0 branch now.
3. The primary use case was to try and cross reference the information with other logs to identify if individuals were making breaking changes.

[berglh]

👍 need the new libbeat 5.0 version, need to get these extraneous fields under 💯 control.