Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Amazon Web Services (AWS) is a cloud computing platform provided by Amazon that offers various computing services and cloud based products that are accessible over the internet, such as compute, storage, databases, analytics, networking, mobile, developer tools, management tools, IoT, security, etc.

Majority of this services and products can generate and publish logs which can be collected by Snare Central for further processing.

Collection

Snare Central can be configured to collect logs from supported AWS services via CloudWatch Log’s subscription filters, to get access to an almost real-time feed of log events and have it delivered to Amazon Kinesis Data Stream, then it can be pulled back and ingested by the Snare Central using the appropriate AWS Kinesis Data Stream API which were called periodically.

Supported AWS Service Logs

Many of the AWS services or cloud based products can publish logs to CloudWatch Logs and Currently Snare Central supports the following AWS service logs:

  • AWS CloudTrail Logs

  • AWS VPC Flow Logs

  • AWS Web Application Firewall (WAF)

Common fields for all AWS Service log types

These fields are also the default fields for unsupported/unrecognizable AWS collected logs (AWSGenericLog).

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system.

Supported AWS log type were source system information is not applicable or not available will be classified as AWS Internal

All other unsupported type will be classified as UNKNOWN

TABLE

For supported types: AWS<ServiceName>Log.

All other unsupported types will be classified as AWSGenericLog

COLLECTIONDATETIME

Snare Central’s local date and time of the actual log collection from AWS Kinesis Data Stream in RFC3339Nano format

CWLDATETIME

AWS CloudWatch Log’s timestamp when it receives the event log from other AWS services in RFC3339Nano format

DATETIME

The timestamp of the event log in RFC3339Nano format

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP.

Notes

https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html

https://docs.aws.amazon.com/streams/latest/dev/introduction.html