Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudTrail in AWS Module does not work when CloudTrail is enabled at Organization Level #23203

Closed
alaa-mallah opened this issue Dec 17, 2020 · 4 comments · Fixed by #23204
Closed

CloudTrail in AWS Module does not work when CloudTrail is enabled at Organization Level #23203

alaa-mallah opened this issue Dec 17, 2020 · 4 comments · Fixed by #23204
Assignees
@leehinman
Labels
aws Enable builds in the CI for aws cloud testing Filebeat Filebeat Team:Platforms Label for the Integrations - Platforms team

Comments

@alaa-mallah
Copy link

Describe the enhancement:
Have the ability to specify a path for the CloudTrail S3 bucket

Describe a specific use case for the enhancement or feature:
If CloudTrail is enabled at the organization level, then the path structure would look like this:
"object.key": "AWSLogs//12345678910/CloudTrail/ap-southeast-2/2020/11/30/12345678910_CloudTrail_ap-southeast-2_20201130T1305Z_QuZ9yKG0lRw5wLmx.json.gz

However, filebeat is expecting different path structure:
"object.key": "AWSLogs/12345678910/CloudTrail/ap-southeast-2/2020/11/30/12345678910_CloudTrail_ap-southeast-2_20201130T1305Z_QuZ9yKG0lRw5wLmx.json.gz"

As a workaround, regex changed here, in order to parse the organization id folder in the s3 bucket

beats/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml

Lines 3 to 7 in 5d07709

file_selectors:
{{ if .process_cloudtrail_logs }}
- regex: '^AWSLogs/\d+/CloudTrail/'
expand_event_list_from_field: 'Records'
{{ end }}

from: '^AWSLogs/\d+/CloudTrail/'
to: ^AWSLogs/\S+/\d+/CloudTrail/
@alaa-mallah alaa-mallah added Filebeat Filebeat aws Enable builds in the CI for aws cloud testing labels Dec 17, 2020
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 17, 2020
@kaiyan-sheng kaiyan-sheng added the Team:Platforms Label for the Integrations - Platforms team label Dec 17, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 17, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh
Copy link
Member

This is similar to #23126 but the format of the path is different.

@andrewkroh
Copy link
Member

The docs at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html indicate that the format is

bucket_name/prefix_name/AWSLogs/OU-ID/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz

so that patterns we have need adapted to handle the optional OU-ID/ part.

I was playing with https://regex101.com/r/7WfOYY/2 as a quick test.

@leehinman leehinman self-assigned this Dec 17, 2020
@leehinman leehinman mentioned this issue Dec 17, 2020
Merged
2 tasks
leehinman added a commit to leehinman/beats that referenced this issue Dec 17, 2020
@leehinman
simplify regex for org & custom prefix in aws/cloudtrail
311a505 
- only match on /CloudTrail/, /CloudTrail-Digest/ and
  /CloudTrail-Insight/, ignore variable prefix

Closes elastic#23203
leehinman added a commit that referenced this issue Dec 17, 2020
@leehinman
simplify regex for org & custom prefix in aws/cloudtrail (#23204)
6935dc6 
- only match on /CloudTrail/, /CloudTrail-Digest/ and
  /CloudTrail-Insight/, ignore variable prefix

Closes #23203
@leehinman leehinman mentioned this issue Dec 17, 2020
Merged
2 tasks
leehinman added a commit to leehinman/beats that referenced this issue Dec 17, 2020
@leehinman
simplify regex for org & custom prefix in aws/cloudtrail (elastic#23204)
7212ef1 
- only match on /CloudTrail/, /CloudTrail-Digest/ and
  /CloudTrail-Insight/, ignore variable prefix

Closes elastic#23203

(cherry picked from commit 6935dc6)
leehinman added a commit to leehinman/beats that referenced this issue Dec 17, 2020
@leehinman
simplify regex for org & custom prefix in aws/cloudtrail (elastic#23204)
9fc68ae 
- only match on /CloudTrail/, /CloudTrail-Digest/ and
  /CloudTrail-Insight/, ignore variable prefix

Closes elastic#23203

(cherry picked from commit 6935dc6)
@leehinman leehinman mentioned this issue Dec 17, 2020
Merged
2 tasks
leehinman added a commit that referenced this issue Dec 18, 2020
@leehinman
simplify regex for org & custom prefix in aws/cloudtrail (#23204) (#2…
86bc1a0 
…3206)

- only match on /CloudTrail/, /CloudTrail-Digest/ and
  /CloudTrail-Insight/, ignore variable prefix

Closes #23203

(cherry picked from commit 6935dc6)
leehinman added a commit that referenced this issue Dec 18, 2020
@leehinman
simplify regex for org & custom prefix in aws/cloudtrail (#23204) (#2…
cc877e6 
…3207)

- only match on /CloudTrail/, /CloudTrail-Digest/ and
  /CloudTrail-Insight/, ignore variable prefix

Closes #23203

(cherry picked from commit 6935dc6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
aws Enable builds in the CI for aws cloud testing Filebeat Filebeat Team:Platforms Label for the Integrations - Platforms team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

simplify regex for org & custom prefix in aws/cloudtrail leehinman/beats
5 participants
@andrewkroh @kaiyan-sheng @elasticmachine @leehinman @alaa-mallah