Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Add fileset for AWS CloudTrail #14657

Closed
andrewkroh opened this issue Nov 20, 2019 · 2 comments
Closed

[Filebeat] Add fileset for AWS CloudTrail #14657

andrewkroh opened this issue Nov 20, 2019 · 2 comments
Assignees
@leehinman
Labels
enhancement Filebeat Filebeat module

Comments

@andrewkroh
Copy link
Member

Add a fileset to the existing aws module in Filebeat that ingests CloudTrail logs that are stored in S3. The fileset can make use of the s3 input that receives SQS notifications when a new log file is available in S3.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh mentioned this issue Dec 9, 2019
Closed
@andrewkroh
Copy link
Member Author

PR: #15227

leehinman added a commit to leehinman/beats that referenced this issue Jan 13, 2020
@leehinman
[Filebeat] Add AWS CloudTrail Support
0bb68e1 
- maps all fields in CloudTrail events
- requestParameters, responseElements, additionalEventData
  & serviceEventDetails are string representations
- add event.original
- add event.type
- add event.kind
- add event.outcome
- run geoip processor
- run agent processor
- populated related.user array when possible
- uses s3input
- CloudTrail must write to S3 bucket, and send all Create Events
  to an SQS queue we listen to

Fixes elastic#14657
leehinman added a commit to leehinman/beats that referenced this issue Jan 13, 2020
@leehinman
[Filebeat] Add AWS CloudTrail Support (elastic#15227)
600d622 
- maps all fields in CloudTrail events
- requestParameters, responseElements, additionalEventData
  & serviceEventDetails are string representations
- add event.original
- add event.type
- add event.kind
- add event.outcome
- run geoip processor
- run agent processor
- populated related.user array when possible
- uses s3input
- CloudTrail must write to S3 bucket, and send all Create Events
  to an SQS queue we listen to

Fixes elastic#14657

(cherry picked from commit da7a697)
leehinman added a commit that referenced this issue Jan 14, 2020
@leehinman
[Filebeat] Add AWS CloudTrail Support (#15227) (#15519)
ee82c1f 
- maps all fields in CloudTrail events
- requestParameters, responseElements, additionalEventData
  & serviceEventDetails are string representations
- add event.original
- add event.type
- add event.kind
- add event.outcome
- run geoip processor
- run agent processor
- populated related.user array when possible
- uses s3input
- CloudTrail must write to S3 bucket, and send all Create Events
  to an SQS queue we listen to

Fixes #14657

(cherry picked from commit da7a697)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
enhancement Filebeat Filebeat module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andrewkroh @elasticmachine @leehinman