AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
For those familiar with AWS. Lambda code is in /lambda-code/ and you'll need to setup an event trigger on your CloudTrail bucket to call the Lambda function. Then visit the Grafana interface and import the /dashboard/grafana-dashboard-export.json file which imports the dashboard and all the required searches/virtualizations
-
Git clone the repo or download the whole thing from the release page
-
Create Lambda function using /lambda-code/index.js file with following environment variables
- elasticsearchurl => http or https URL of Elasticsearch server which is accessible within VPC
- snsTopicArn => SNS topic created for send emails
-
Go to S3 cloudtrail bucket where all the events are generated by cloudtrail
-
Now cloudtrail logs written to S3 events should be starting to be processed by the cloudtrail lambda function and will start pushing those into elasticsearch. You can check by looking at the ElasticSearch index's. You should see an index titled logstash-YYYY-MM-DD
-
Now you can visit your Grafana URL
-
Click import and select the /dashboard/grafana-dashboard-export.json file.
-
If all goes successfully you should see the following saved objects post the import. You can now go and view your dashboard by going to Dashboard selecting open and selecting Cloudtrail-Event-Dashboard