The cloud.aws.cloudtrail.events tag identifies log events generated by the Amazon CloudTrail service. For more information about CloudTrail and this kind of information it makes available to you, consult the vendor documentation.
The tag has four levels which are fixed as cloud.aws.cloudtrail.events. All events sent with this tag are saved in a Devo data table of the same name.
For more information, read more about Devo tags.
Forwarding the events
To collect and forward CloudTrail events to Devo, you will set up a trail that will send all AWS management and S3 bucket activity events to Lambda function that will collect, process, and forward the events securely to Devo. We provide the source code and files required to create the function. You only need to use these files to create the function, customize a few environment variables, and set up the CloudTrail rule that will start forwarding data.
This article takes you step-by-step through the configuration process:
Download the source code files
Click here to download the zip file containing what you need to create the Lambda function. There are two folders and three files at the root level.
Download your Devo domain certificate files
Log into the Devo web application, go to Administration → Credentials → X.509 Certificates and download the X.509 Certificate and Private Key to the /certs folder of the source code files.
Prepare the ZIP file for upload
Having added the certificate files, your source code is complete.
For troubleshooting the initial setup, you can enable the logging of additional events related to the Lambda function's activity. These will appear in the function's log file available in CloudWatch - Logs. To enable this logging, open the index.js file and uncomment the lines that start with console.log. Once you have confirmed that events are being correctly streamed to your Devo domain, you can edit the file and recomment the console.log lines.
Create a .zip file containing the certs and node_modules folders, index.js, and package.json. You can name it anything you like.
Set up the CloudTrail trail
- Log into your AWS Console, go to CloudTrail → Trails. Click Create trail.
- Enter a Name for the new trail like awsMonitoring. Choose Yes for Apply trail to all regions.
Under Management events, choose All for Read/Write events.
Under Data events - S3, select the Select all S3 buckets in your account checkbox. Do nothing in the Lambda tab.
Under Storage location, choose Yes for Create a new S3 bucket and enter a name for the new bucket. We suggest cloudtrail-aws-monitoring. You can accept the default values in the Advanced settings.
With the trail set up and activated, the management and S3 events should begin to collect in the S3 bucket you created for the trail. Now you will create the Lambda function that will collect the data in the S3 bucket, process it, and forward it securely to your Devo domain.
Create the Lambda function
This procedure guides you through creating the new Lambda function. For this process, you need to have available the .zip file you prepared earlier.
Log into your AWS Console, go to Lambda → Functions. Click Create function.
Select Author from scratch, then enter the Basic information required:
- Function name: SendCloudTrailEventsToDevo
- Runtime: Node js 8.10
- Execution role: Create a new role with basic Lambda permissions
Click Create function.
In the Function code area, select Upload a .zip file as the Code entry type. Click Upload and select the .zip file you created in the last main step. Click Save.
In the Environment variables area, define the following variables:
chain_eu.crt (for the EU region)
chain_us.crt (for the US region)
eu.elb.relay.logtrust.net (for the EU region)
us.elb.relay.logtrust.net (for the US region)
In the Tags area, we recommend that you define the following tags (although it's not obligatory, it is good practice):
In Basic settings area, enter a useful Description like This function receives CloudTrail events from an S3 bucket and sends them to Devo <domain name>. You can accept the default values for Memory (128MB) and Timeout (3 seconds).
- Now, select the new function to view its details. In the Execution role area, click View the <function-name> role to edit the role permissions.
On the Permissions tab, click Attach policy. Select AmazonS3ReadOnlyAccess , then click Attach policy.
On the Tags tab, click Edit tags and add the same tags as in step 5.
- Establish version-tracking by selecting Publish new version from the Actions menu. Enter a description if you like and click Publish.
- In the function Designer, click Add triggers....on the left and select S3.
In the S3 trigger configuration, enter the bucket name you specified when creating the trail. Select Object Created (All) as the Event type and select the Enable trigger checkbox. Click Submit.
With both the trail and the Lambda function enabled, events should begin to flow to your Devo domain. Look out for the cloud.aws.cloudtrail.events table to appear in your Finder.
If the table doesn't appear in your domain's Finder after 10 minutes, here are some things you can do to troubleshoot the problem:
- Go to the S3 bucket and make sure that it contains data.
- Go to CloudTrail - Trails and make sure the trail is active/enabled.
- Make sure the Lambda function's environment variable definitions match the certificate file names in the .zip that you uploaded.
- Go to CloudWatch - Logs and review the log for the Lambda function you created.
- Go to Lambda, select the function you set up for CloudTrail, and click Test to send a test event. We suggest you copy the JSON of an event in the function's CloudWatch logs to use in the test event.