Deploys a simple SumoLogic (SL) forwarder and subscribes it to the Stax created cloudtrail SNS topic as documented on the Stax Consuming AWS Service Logs documentation.
Stax implements the Organization Cloudtrail on behalf of customers, with the log files for the trail ending up in the Stax Logging Account
You could also follow the SumoLogic provided guide to setting up Cloudtrail when using Control Tower, however we found that this still requires manual tweaking (for example the SumoLogic created role doesn't allow access to KMS) and it leaves unused resources behind (SumoLogic creates it's own SNS topic which conflicts with the Stax provided topic, there can be only one)
- This documentation is based on SumoLogic guidance for Control Tower setup, which also implements Organization Cloudtrail, it was correct at the time of writing, but changes to SumoLogic may render this solution in-operable. Please raise an issue on this repo if you run into problems and we'll do our best to assist.
- You will almost certainly incur costs in both SumoLogic and AWS when implementing this.
- This documentation is for the hosted collector only.
- AWS deployment steps assume you have a valid AWS CLI session in your Stax Logging Account.
- SumoLogic collector configuration assumes you have Administrative access to SumoLogic
These instructions are a summary of the steps provided in the AWS CloudTrail Source guide that SumoLogic provides, if the steps below don't match what you see in the console, we strongly suggest reading the source document (and please create an Issue letting us know).
Additionally the role we've provided is functionally the same as the role that SumoLogic will generate for you in the collect setup, except that it will also provide access to the KMS key required to read from the bucket.
- In Sumo Logic select Manage Data > Collection > Collection.
- Select the hosted Collector for which you want to add the Source, and click Add Source (see AWS Cloudtrail Source for instructions on creating one).
- Click AWS CloudTrail
- Set the General Parameters:
- S3 Region:
Other - Bucket Name: this will be in the format
stax-cloudtrail-<org-uuid>you can read more about it in our docs - Path Expression:
AWSLogs/*/CloudTrail/* - Source Category:
aws/observability/cloudtrail/logs - Fields:
accountlogging
- S3 Region:
- In the AWS Access section choose "Role-based access` and take a note of the "Account ID" and "External ID"
- At this point we need to deploy the role
- Once the role is deployed, take the output ARN and provide it in the "Role ARN" field.
- In the Log File discovery section click "Create URL"
- Select a 5 minute interval
- At this point you need to deploy the SNS Subscription
- Remaining options are the defaults
- When selecting save you might be told that the page is out of date and you need to refresh, after refreshing the source should still have been created.
The following steps explain what AWS resources you'll need to deploy.
SumoLogic requires a role that the collector can assume which allows access to read files from the Cloudtrail S3 bucket, and access to the KMS Key used to encrypt data in that bucket, we have provided a template under the cloudformation folder in this repo, you can upload this through the console and set the Account ID and External ID based on the values generated during the Configure Collector step or using the CLI:
You will need to get the ARN of the KMS Key that Stax uses to secure your Cloudtrail data, you can do this in the KMS console, by selecting the KMS Key with the alias "cloudtrail" or using the cli
aws kms list-aliases --query "Aliases[?AliasName=='alias/cloudtrail']"Once you have this you can run the deployment:
$ aws cloudformation deploy \
--template-file file://cloudformation/sumologic_role.yaml \
--stack-name sumologic-stax-cloudtrail-role \
--capabilities CAPABILITY_IAM \
--parameter-overrides \
SumoLogicAccountID=<Account ID generated during collector setup> \
SumoLogicExternalID=<External ID generated during collector setup> \
StaxCloudtrailBucket=<The Stax Cloudtrail bucket, the same value provided to Sumo during collector setup> \
StaxCloudtrailKMSKey=<The full ARN of the cloudtrail KMS key>
$ aws cloudformation describe-stacks \
--stack-name sumologic-stax-cloudtrail-role \
--query "Stacks[0].Outputs[?OutputKey=='SumoLogicCloudtrailRoleARN'].OutputValue" \
--output textThe output from the second command will be the ARN of the created role, you'll need this value to complete the collector setup.
AWS only allows a single SNS notification on each event type on a bucket, since Stax has already generated this topic for you, there's no need to create your own, you just need to subscribe SumoLogic to the topic, you can configure this in the console or the AWS CLI.
The Stax created SNS topic will have a name that takes the format cloudtrail-<stax-org-id> you can find it in the SNS console in your logging account.
Go to Services > Simple Notification Service and select the cloudtrail topic created by Stax.
- Click Create Subscription.
- Select HTTPS as the protocol
- Enter the Endpoint URL provided while configuring the collector in Sumo Logic.
- Click Create subscription and a confirmation request will be sent to Sumo Logic. The request will be automatically confirmed by Sumo Logic.
aws sns subscribe --protocol https \
--topic-arn <arn:aws:sns:<REGION>:<ACCOUNT_ID>:cloudtrail-<STAX-ORG-ID>
--notification-endpoint <ENDPOINT URL>The SumoLogic AWS Observability for AWS Control Tower guide also recommends setting up field extractions for your account IDs, see page 12 of the linked document for detailed instructions.
Copyright 2022 Stax WMS Pty. Ltd.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Or in the license file accomanying this file.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.