This CloudTrail integration is specifically designed to work with the destination bucket to which CloudTrail writes its logs.
It is based on CloudTrail’s naming convention and path structure.
If you’re looking to ship CloudTrail logs from a different bucket, please use the S3 Bucket shipping method instead.
Configuration
Before you begin:
-
If you plan on using an access key to authenticate your connection, you’ll need to set the
s3:ListBucketands3:GetObjectpermissions for the required S3 bucket. -
If you plan on using an IAM role to authenticate your connection, you can get the role policy by filling out the bucket information and clicking the “Get the role policy” button.
-
File names in ascending alphanumeric order. This is important because the S3 fetcher’s offset is determined by the name of the last file fetched. We recommend using standard AWS naming conventions to determine the file name ordering and to avoid log duplication.
Send your logs to an S3 bucket
Logz.io fetches your CloudTrail logs from an S3 bucket.
For help with setting up a new trail, see Overview for Creating a Trail from AWS.
Verify bucket definition on AWS
Navigate to the location of your trail logs on AWS:
And verify the definition of the bucket is under the CloudTrail path:
Region data must be created under the CloudTrain path BEFORE the S3 bucket is defined on Logz.io. Otherwise, you won’t be able to proceed with sending CloudTrail data to Logz.io. 
Next, note the bucket’s name and the way the prefix is constructed, for example:
Bucket name: aws-cloudtrail-logs-486140753397-9f0d7dbd.
Prefix name: AWSLogs/486140753397/CloudTrail/.
You’ll need these values when adding your S3 bucket information.
Add your S3 bucket information
To use the S3 fetcher, log into your Logz.io account, and go to the CloudTrail log shipping page.
- Click + Add a bucket
- Select your preferred method of authentication - an IAM role or access keys.
The configuration wizard will open.
- Provide the S3 bucket name
- Provide your Prefix. That is your CloudTrail path. See further details below.
- There is no Region selection box because it is not needed. Logz.io will pull data from all regions in AWS for the specified bucket and account.
- Choose whether you want to include the source file path. This saves the path of the file as a field in your log.
- Save your information.
Getting the information from your CloudTrail AWS path
You may need to fill in 2 parameters when creating the bucket - {BUCKET_NAME} and {PREFIX}. You can find them in your CloudTrail AWS path. The AWS path structure for CloudTrail looks like the examle below:
{BUCKET_NAME}/{PREFIX_IF_EXISTS}/cloudtrail/AWSLogs/{AWS_ACCOUNT_ID}/CloudTrail/
-
{BUCKET_NAME} is your S3 bucket name.
-
{PREFIX} is your CloudTrail path. The prefix is generate by default and represents the complete path inside the bucket up until the regions section. It should look like this:
AWSLogs/{AWS_ACCOUNT_ID}/CloudTrail/.
Logz.io fetches logs that are generated after configuring an S3 bucket. Logz.io cannot fetch past logs retroactively.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see log shipping troubleshooting.
Troubleshooting
Problem: Failed to save bucket configuration
The following error appears when you’re trying to create a bucket:
AWS failed to create cloudtrail bucket. Exception AWS bucket is empty: 403.
Possible cause
The bucket’s location is incorrect or might be missing the correct prefix.
Suggested remedy
-
Head to CloudTrail console on AWS and check the relevant trail:
-
Verify that the location of the trail is correct:
And verify that the prefix contains all parts:
In this case, the cause of the error is that the location is empty or that the prefix is wrong.
The bucket should be aws-cloudtrail-logs-486140753397-9f0d7dbd, and the prefix should be AWSLogs/486140753397/CloudTrail/ (You can click on the prefix to verify that it is empty).
Once you fix these issues, you can return to Logz.io to create the CloudTrail bucket.