cancel
Showing results for 
Search instead for 
Did you mean: 

Any experience adding AWS Cloudtrail as a data source?

I'm trying to add AWS Cloudtrail as a device in the SIEM.

Have followed the Data Source Configuration Guide for AWS, can do a successful test connection, but there is no data coming into the SIEM from AWS.

Just wondering if anyone out there has experienced similar issues and managed to overcome them?

14 Replies
anhp
Level 7
Report Inappropriate Content
Message 2 of 15

Re: Any experience adding AWS Cloudtrail as a data source?

Have you been able to figure this out yet? I'm running into the same issue and was wondering if I could get some help... Thanks!

Re: Any experience adding AWS Cloudtrail as a data source?

No joy sorry - if I have any luck I'll be sure to update the thread!

anhp
Level 7
Report Inappropriate Content
Message 4 of 15

Re: Any experience adding AWS Cloudtrail as a data source?

Did you figure out any alternative option? I thought of pulling the logs directly from the s3 bucket but can't figure it out either... Thanks!

Highlighted

Re: Any experience adding AWS Cloudtrail as a data source?

Actually yes - the issue is now resolved.

MIGHT NOT BE THE SAME ISSUE AS YOU, but in this instance basically the issue was with a certificate from AWS being untrusted by the SIEM.

To see if the issue is what you are also experiencing, check the cloudtrail logs (/var/log/messages/cloudtrail or something along those lines - not sure exactly). If there are messages relating to unfound or untrusted certificates, that is your problem and you'll need to get an update from McAfee.

anhp
Level 7
Report Inappropriate Content
Message 6 of 15

Re: Any experience adding AWS Cloudtrail as a data source?

When you say "get an update from McAfee", are you meaning updating the certificate from the McAfee side? Or actually updating our McAfee ESM product for it to work? Thanks!

Re: Any experience adding AWS Cloudtrail as a data source?

i mean that in our case we logged the issue with Mcafee support and they updated the esm with updated cert.

anhp
Level 7
Report Inappropriate Content
Message 8 of 15

Re: Any experience adding AWS Cloudtrail as a data source?

Sorry to keep asking, but I can't find where to see the actual logs from cloudtrail. We have API logs from cloudtrail in ELK but I can't find anything with "McAfee" as the search word. Where did you find yours? Thanks!

Re: Any experience adding AWS Cloudtrail as a data source?

The logs you are looking for are on the SIEM ESM itself. Should be in /var/log/messages and the file should be called CloudTrail or something similar.

anhp
Level 7
Report Inappropriate Content
Message 10 of 15

Re: Any experience adding AWS Cloudtrail as a data source?

hi cowboy71,

I looked in the log and found the following message, is this what you had as well?

3505:Mar  1 14:14:27 McAfee libJobServer.so[2842]: Test connect failed with the following error: NotOk ERROR [try ]: On calling SetQueueAttributes: 500 Can't connect to sqs.us-east-1.amazonaws.com:443 (Connection refused) at /usr/local/bin/cloudtrailcoll.pl line 172.


Thanks,



AP

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.