Pulls down AWS cloudtrail logs from S3 and outputs to a json file to be ingested by LogStash. The json logs are preformatted and easily parsable by Logstash.
s3cmd -and- jq
- Edit the script and update variable 'AWS_ACCOUNT_NUMBER' with your account number.
- Edit the script and update variable 'S3_BUCKET_NAME' with your buckets name.
- Ensure your AWS credentials are configured (e.g: ~/.aws/credentials)
- Execute the script (it will run in a constant loop)
Included is a traditional init script and monit config (optional), to use the init script...
- Ensure 'cloud-trail-consumer.sh' is located here: /opt/cloudtrail-consumer
- Alternatively, edit 'cloudtrail-consumer-init.sh' and change variable 'THE_PATH'
- Place the init script[cloudtrail-consumer-init.sh] in /etc/init.d
- Make init script executable: chmod ug+x cloudtrail-consumer-init.sh
- It can then be started as such: /etc/init.d/cloudtrail-consumer-init.sh start (or stop)
- The included monit script can be placed in your monits configuration directory and used to startup the cloudtrail consumer on start up.
See here: https://github.com/vigeek/aws-elb-logs-to-logstash
To install, please view readme in kibana-dashboard directory
Some minor details from the dashboard image are obfuscated.