GuardDuty
Logs
Create an EventBridge rule
You'll need to create a new EventBridge rule that will send your GuardDuty findings to a Cloudwatch Log Group.
- In your AWS Console, go to Amazon EventBridge service.
- In the left menu of Amazon EventBridge, choose Rules, then click on Create rule.
- Enter the name of your new rule, and click Next.
- Scroll down to the Event pattern panel. In the AWS service field, choose GuardDuty. In the Event type field choose All Events, and click Next.
- For the Select a target field, choose CloudWatch log group. In the Log Group field, choose the first option (
/aws/events) and enter the name you'd like for your new log group. Click Next. - Optionally, add tags to your event rule. Click Next.
- Review the details and click Create rule.
Auto-deploy the Stack in the relevant region
This integration will deploy a Firehose connection with your AWS services to forward logs to Logz.io To deploy this project, click the button that matches the region you wish to deploy your Stack to:
| Region | Deployment |
|---|---|
us-east-1 |  |
us-east-2 | |
us-west-1 | |
us-west-2 | |
eu-central-1 | |
eu-north-1 | |
eu-west-1 | |
eu-west-2 | |
eu-west-3 | |
sa-east-1 | |
ap-northeast-1 | |
ap-northeast-2 | |
ap-northeast-3 | |
ap-south-1 | |
ap-southeast-1 | |
ap-southeast-2 | |
ca-central-1 | |
Specify stack details
Specify the stack details as per the table below, check the checkboxes and select Create stack.
Add the CloudWatch log group name you created in the first step to field customLogGroups.
| Parameter | Description | Required/Default |
|---|---|---|
logzioToken | The token of the account you want to ship logs to. | Required |
logzioListener | Listener host. | Required |
logzioType | The log type you'll use with this Lambda. This can be a built-in log type, or a custom log type. | logzio_firehose |
services | A comma-seperated list of services you want to collect logs from. Supported options are: apigateway, rds, cloudhsm, cloudtrail, codebuild, connect, elasticbeanstalk, ecs, eks, aws-glue, aws-iot, lambda, macie, amazon-mq. | - |
customLogGroups | A comma-seperated list of custom log groups you want to collect logs from | - |
triggerLambdaTimeout | The amount of seconds that Lambda allows a function to run before stopping it, for the trigger function. | 60 |
triggerLambdaMemory | Trigger function's allocated CPU proportional to the memory configured, in MB. | 512 |
triggerLambdaLogLevel | Log level for the Lambda function. Can be one of: debug, info, warn, error, fatal, panic | info |
httpEndpointDestinationIntervalInSeconds | The length of time, in seconds, that Kinesis Data Firehose buffers incoming data before delivering it to the destination | 60 |
httpEndpointDestinationSizeInMBs | The size of the buffer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it to the destination | 5 |
AWS limits every log group to have up to 2 subscription filters. If your chosen log group already has 2 subscription filters, the trigger function won't be able to add another one.
Send logs
Give the stack a few minutes to be deployed.
Once new logs are added to your chosen log group, they will be sent to your Logz.io account.
Your GuardDuty logs will be sent in accordance with your GuardDuty configuration. GuardDuty publishes its findings to EventBridge every 6 hours. If you want to configure it differently:
- Go to your GuardDuty settings.
- Scroll down to Findings export options. Click on Edit of Frequency.
- Choose your prefered frequency to export GuardDuty findings.
You can export a sample finding by going to GuardDuty settings and clicking the Generate sample findings.
If you've used the services field, you'll have to wait 6 minutes before creating new log groups for your chosen services. This is due to cold start and custom resource invocation, that can cause the Lambda to behave unexpectedly.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don't see your logs, see log shipping troubleshooting.