Skip to main content

GuardDuty

Logs

Create an EventBridge rule

You'll need to create a new EventBridge rule that will send your GuardDuty findings to a Cloudwatch Log Group.

  1. In your AWS Console, go to Amazon EventBridge service.
  2. In the left menu of Amazon EventBridge, choose Rules, then click on Create rule.
  3. Enter the name of your new rule, and click Next.
  4. Scroll down to the Event pattern panel. In the AWS service field, choose GuardDuty. In the Event type field choose All Events, and click Next.
  5. For the Select a target field, choose CloudWatch log group. In the Log Group field, choose the first option (/aws/events) and enter the name you'd like for your new log group. Click Next.
  6. Optionally, add tags to your event rule. Click Next.
  7. Review the details and click Create rule.

Auto-deploy the Stack in the relevant region

This integration will deploy a Firehose connection with your AWS services to forward logs to Logz.io To deploy this project, click the button that matches the region you wish to deploy your stack to:

RegionDeployment
us-east-1Deploy to AWS
us-east-2Deploy to AWS
us-west-1Deploy to AWS
us-west-2Deploy to AWS
eu-central-1Deploy to AWS
eu-north-1Deploy to AWS
eu-west-1Deploy to AWS
eu-west-2Deploy to AWS
eu-west-3Deploy to AWS
sa-east-1Deploy to AWS
ap-northeast-1Deploy to AWS
ap-northeast-2Deploy to AWS
ap-northeast-3Deploy to AWS
ap-south-1Deploy to AWS
ap-southeast-1Deploy to AWS
ap-southeast-2Deploy to AWS
ca-central-1Deploy to AWS

Specify stack details

Specify the stack details as per the table below, check the checkboxes and select Create stack. Add the CloudWatch log group name you created in the first step to field customLogGroups.

ParameterDescriptionRequired/Default
logzioTokenThe token of the account you want to ship logs to.Required
logzioListenerListener host.Required
logzioTypeThe log type you'll use with this Lambda. This can be a built-in log type, or a custom log type.logzio_firehose
servicesA comma-seperated list of services you want to collect logs from. Supported options are: apigateway, rds, cloudhsm, cloudtrail, codebuild, connect, elasticbeanstalk, ecs, eks, aws-glue, aws-iot, lambda, macie, amazon-mq.-
customLogGroupsA comma-separated list of custom log groups to collect logs from, or the ARN of the Secret parameter (explanation below) storing the log groups list if it exceeds 4096 characters. Note: You can also specify a prefix of the log group names by using a wildcard at the end (e.g., prefix*). This will match all log groups that start with the specified prefix.-
useCustomLogGroupsFromSecretIf you want to provide list of customLogGroups which exceeds 4096 characters, set to true and configure your customLogGroups as defined below.false
triggerLambdaTimeoutThe amount of seconds that Lambda allows a function to run before stopping it, for the trigger function.60
triggerLambdaMemoryTrigger function's allocated CPU proportional to the memory configured, in MB.512
triggerLambdaLogLevelLog level for the Lambda function. Can be one of: debug, info, warn, error, fatal, panicinfo
httpEndpointDestinationIntervalInSecondsThe length of time, in seconds, that Kinesis Data Firehose buffers incoming data before delivering it to the destination60
httpEndpointDestinationSizeInMBsThe size of the buffer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it to the destination5
Important

AWS limits every log group to have up to 2 subscription filters. If your chosen log group already has 2 subscription filters, the trigger function won't be able to add another one.

Custom Log Group list exceeds 4096 characters limit

If your customLogGroups list exceeds the 4096 characters limit, follow the below steps:

  1. Open AWS Secret Manager
  2. Click Store a new secret
    • Choose Other type of secret
    • For key use logzioCustomLogGroups
    • In value store your comma-separated custom log groups list
    • Name your secret, for example as LogzioCustomLogGroups
    • Copy the new secret's ARN
  3. In your stack, Set:
    • customLogGroups to your secret ARN that you copied in step 2
    • useCustomLogGroupsFromSecret to true

Send logs

Give the stack a few minutes to be deployed.

Once new logs are added to your chosen log group, they will be sent to your Logz.io account.

Your GuardDuty logs will be sent in accordance with your GuardDuty configuration. GuardDuty publishes its findings to EventBridge every 6 hours. If you want to configure it differently:

  1. Go to your GuardDuty settings.
  2. Scroll down to Findings export options. Click on Edit of Frequency.
  3. Choose your prefered frequency to export GuardDuty findings.

You can export a sample finding by going to GuardDuty settings and clicking the Generate sample findings.

Important

If you've used the services field, you'll have to wait 6 minutes before creating new log groups for your chosen services. This is due to cold start and custom resource invocation, that can cause the Lambda to behave unexpectedly.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see log shipping troubleshooting.