How to import logs in EventLog Analyzer from S3 bucket

How to import logs in EventLog Analyzer from S3 bucket

Objective 

Some applications might record logs in the file system so that the user can import the logs in EventLog Analyzer. This can happen when the logs are located in Local file system of the EventLog Analyzer instance where the shared path is the Windows OS and Linux OS, or the S3 bucket. This article provides step-by-step instructions to import logs in EventLog Analyzer from the S3 bucket.

Prerequisites 

  • An adequate number of Application licenses needs to be available. EventLog Analyzer consumes one application license for each import and each unique log format identified during log file import. Importing the same file twice with different formats will consume two licenses.
  • The file to be imported has to be plain text and not encrypted. EventLog Analyzer archived files with .zip, .gz and .7z formats are supported for import.
  • An AWS cloud account needs to be added in EventLog Analyzer.
    If you do not want to audit your cloud account, but you want to import the logs from S3, you can add the cloud account in the Import tab with the minimum permission user to read the files from S3 bucket. To create an IAM user with minimum permission for the log import on the S3 Bucket, refer to this link.

Steps to follow 

To configure AWS S3 buckets for importing logs, follow these steps. If you have configured AWS account for auditing, you can skip to step 5.
Step 1: Navigate to Settings >> Log source configuration >> Import and choose the Cloud tab.
Step 2: Click the link displayed to configure the AWS account.


Step 3: Enter the Display Name, Access Key, and Secret Key of the AWS Account and click Add.
Note: Create a IAM user with minimum permission to read the S3 bucket files and to create the keys. Refer to this link to create a IAM user with minimum permissions for the log import.
Step 4: Once the AWS account is added, it will be displayed in the drop-down list available in the Cloud tab.
Step 5: From the drop-down list, select the AWS account.
Step 6: Choose the S3 bucket from the list provided in the Select files pop-up and select the file to be imported.
Step 7: The Store Logs for Short-term option will store the imported log data in EventLog Analyzer for two days. If the option is left unchecked, the logs will be stored as per your data retention configuration.
Step 8: You can choose to schedule the log import at specific time intervals. You can also schedule the log collection by reading the same file on a periodic basis or by creating a specific file naming convention for these files.
Step 9: Click Import to save the configuration.
 

Tips 

  1. Log import consumes one Application license for each import performed. If you are importing for analysis, you can select the Store Logs for Short-term option, which will store the imported log data in EventLog Analyzer for two days. If the option is left unchecked, the logs will be stored as per data retention configuration.
  2. Log format will be set as Automatically Identify by default. The application will identify the Log format automatically, and based on that, the parsing will be achieved. You can create a Custom log format if the log format is not available in the list or if it is a custom application. 
  3. Log import for EVT/EVTX is available only for Windows instances and for direct import only.
  4. The Scheduled import option is available in both Remote and S3 bucket imports. 
 


                  New to ADSelfService Plus?

                    • Related Articles

                    • How to import logs in EventLog Analyzer from a local path

                      Objective A user can import application logs in EventLog Analyzer when the logs are located in the local file system of the EventLog Analyzer instance, shared path of Windows OS and Linux OS, or S3 bucket. Learn how to import logs in EventLog ...
                    • How to collect historic logs from Windows devices in EventLog Analyzer

                      Objective When a Windows device is onboarded in EventLog Analyzer, log collection starts from the moment of onboarding. To retrieve Windows event logs generated before the onboarding, you can use the following methods: Historic log collection: Can be ...
                    • Log import failure during remote log collection in EventLog Analyzer

                      Issue description EventLog Analyzer will display an error notification in the UI stating that the log import for selected files has failed. This issue will happen when EventLog Analyzer is unable to import a file during the scheduled log import ...
                    • How to import custom threat feeds in EventLog Analyzer

                      Objective EventLog Analyzer provides an option to import custom threat feeds or indicators, allowing users to upload lists of malicious IP addresses, CIDR values, domains, and URLs as per internal investigation. These imported indicators are then ...
                    • Unable to start EventLog Analyzer

                      Issue description This issue occurs when the EventLog Analyzer service fails to start, or when users are unable to access the web client through the browser (typically on ports 8400 or 8445). Users may experience one or more of the following ...