package
Version:
v0.0.0-...-c728838
Opens a new window with list of versions in this module.
Published: Dec 27, 2017
License: MIT
Opens a new window with license information.
Imports: 11
Opens a new window with list of imports.
Imported by: 0
Opens a new window with list of known importers.
README
¶
Poll S3 for CloudTrail logs
If you enable AWS CloudTrail, AWS will log every AWS API call to a S3 bucket of your choice.
How to set it up:
- Go to AWS dashboard for CloudTrail, and create a "trail" with the following options:
- Encrypt log files = No (since
sync-log-files-to-db
doesn't know how to decrypt them)
- Enable log file validation = No (since
sync-log-files-to-db
won't bother to delete the checksum files, so they'll just accumulate)
- Create an AWS S3 bucket for your CloudTrail logs
- Create an AWS IAM user that has read and delete access to just that S3 bucket
- Setup a
config/s3.creds.ini
file using config/s3.creds.ini.sample
as a starting point
- Add the following stanza to your config.json (omitting BigQuery or InfluxDb if you prefer):
"PollS3CloudTrail": {
"S3": {
"CredsPath": "./s3.creds.ini",
"Region": "us-east-1",
"BucketName": "cloudtrail-danstutzman"
},
"PathsPerBatch": 100,
"BigQuery": {
"GcloudPemPath": "./YourProject-abc123.json",
"GcloudProjectId": "your-project",
"DatasetName": "cloudtrail",
"TableName": "cloudtrail_events"
},
"InfluxDb": {
"Hostname": "127.0.0.1",
"Port": "8086",
"DatabaseName": "mydb",
"MeasurementName": "cloudtrail_events"
}
},
Documentation
¶
func ValidateOptions(options *Options)
type Attributes struct {
MfaAuthenticated string `json:"mfaAuthenticated"`
CreationDate string `json:"creationDate"`
}
type Event struct {
EventVersion string `json:"eventVersion"`
UserIdentity UserIdentity `json:"userIdentity"`
EventTime string `json:"eventTime"`
EventSource string `json:"eventSource"`
EventName string `json:"eventName"`
AwsRegion string `json:"awsRegion"`
SourceIpAddress string `json:"sourceIPAddress"`
UserAgent string `json:"userAgent"`
RequestParameters map[string]interface{} `json:"requestParameters"`
ResponseElements map[string]interface{} `json:"responseElements"`
RequestId string `json:"requestID"`
EventId string `json:"eventID"`
EventType string `json:"eventType"`
RecipientAccountId string `json:"recipientAccountId"`
}
type File struct {
Records []Event
}
type SessionContext struct {
Attributes Attributes `json:"attributes"`
}
type UserIdentity struct {
Type string `json:"type"`
PrincipalId string `json:"principalId"`
Arn string `json:"arn"`
AccountId string `json:"accountId"`
AccessKeyId string `json:"accessKeyId"`
SessionContext SessionContext `json:"sessionContext"`
}
Source Files
¶
Click to show internal directories.
Click to hide internal directories.