s3_cloudtrail

package
v0.0.0-...-c728838 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 27, 2017 License: MIT Imports: 11 Imported by: 1

README

Poll S3 for CloudTrail logs

If you enable AWS CloudTrail, AWS will log every AWS API call to a S3 bucket of your choice.

How to set it up:

  • Go to AWS dashboard for CloudTrail, and create a "trail" with the following options:
    • Encrypt log files = No (since sync-log-files-to-db doesn't know how to decrypt them)
    • Enable log file validation = No (since sync-log-files-to-db won't bother to delete the checksum files, so they'll just accumulate)
  • Create an AWS S3 bucket for your CloudTrail logs
  • Create an AWS IAM user that has read and delete access to just that S3 bucket
  • Setup a config/s3.creds.ini file using config/s3.creds.ini.sample as a starting point
  • Add the following stanza to your config.json (omitting BigQuery or InfluxDb if you prefer): 
    "PollS3CloudTrail": {
  "S3": {
    "CredsPath": "./s3.creds.ini",
    "Region": "us-east-1",
    "BucketName": "cloudtrail-danstutzman"
  },
  "PathsPerBatch": 100,

  "BigQuery": {
    "GcloudPemPath": "./YourProject-abc123.json",
    "GcloudProjectId": "your-project",
    "DatasetName": "cloudtrail",
    "TableName": "cloudtrail_events"
  },
  "InfluxDb": {
    "Hostname": "127.0.0.1",
    "Port": "8086",
    "DatabaseName": "mydb",
    "MeasurementName": "cloudtrail_events"
  }
},

Documentation

Index

Constants

View Source 
const DEFAULT_PATHS_PER_BATCH = 100
View Source 
const SECONDS_BETWEEN_POLLS = 5 * 60

Variables

This section is empty.

Functions

func PollForever 

func PollForever(opts *Options, configPath string)

func ValidateOptions 

func ValidateOptions(options *Options)

Types

type Attributes 

type Attributes struct {
	MfaAuthenticated string `json:"mfaAuthenticated"`
	CreationDate     string `json:"creationDate"`
}

type Event 

type Event struct {
	EventVersion       string                 `json:"eventVersion"`
	UserIdentity       UserIdentity           `json:"userIdentity"`
	EventTime          string                 `json:"eventTime"`
	EventSource        string                 `json:"eventSource"`
	EventName          string                 `json:"eventName"`
	AwsRegion          string                 `json:"awsRegion"`
	SourceIpAddress    string                 `json:"sourceIPAddress"`
	UserAgent          string                 `json:"userAgent"`
	RequestParameters  map[string]interface{} `json:"requestParameters"`
	ResponseElements   map[string]interface{} `json:"responseElements"`
	RequestId          string                 `json:"requestID"`
	EventId            string                 `json:"eventID"`
	EventType          string                 `json:"eventType"`
	RecipientAccountId string                 `json:"recipientAccountId"`
}

type File 

type File struct {
	Records []Event
}

type Options 

type Options struct {
	S3            *s3.Options
	BigQuery      *bigquery.Options
	InfluxDb      *influxdb.Options
	PathsPerBatch int
}

type SessionContext 

type SessionContext struct {
	Attributes Attributes `json:"attributes"`
}

type UserIdentity 

type UserIdentity struct {
	Type           string         `json:"type"`
	PrincipalId    string         `json:"principalId"`
	Arn            string         `json:"arn"`
	AccountId      string         `json:"accountId"`
	AccessKeyId    string         `json:"accessKeyId"`
	SessionContext SessionContext `json:"sessionContext"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.