Amazon Web Services Log Source Parameters for Amazon AWS Elastic Kubernetes Service
If JSA does not automatically detect the log source, add an Amazon AWS Elastic Kubernetes Service log source on the JSA Console by using the Amazon Web Services protocol.
When you use the Amazon Web Service protocol, there are specific parameters that you must configure.
The following table describes the parameters that require specific values to collect Amazon Web Services events from Amazon Elastic Kubernetes Service:
Parameter |
Value |
---|---|
Log Source type |
Amazon AWS Elastic Kubernetes Service |
Protocol Configuration |
Amazon Web Services |
Authentication Method |
Access Key ID / Secret Key Standard authentication that can be used from any location. EC2 Instance IAM Role If your JSA managed host is running on an AWS EC2 instance, choose this option to use the IAM Role from the metadata that is assigned to the instance for authentication. No keys are required. Note:
This method works only for managed hosts that run within an AWS EC2 container. |
Access Key ID |
If you selected , Access Key ID/ Secret Key as the Authentication Method, configure this parameter. The Access Key ID that was generated when you configured the security credentials for your AWS user account. For more information about configuring the security credentials, see Configuring Security Credentials for your AWS User Account. |
Secret Access Key |
If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter. The Secret Key that was generated when you configured the security credentials for your AWS user account. For more information about configuring the security credentials, see Configuring Security Credentials for your AWS User Account. |
Regions |
Select the checkbox for each region that is associated with the Amazon Web Service that you want to collect logs from. |
Other Regions |
Enter the names of any additional regions that are associated with the Amazon Web Service that you want to collect logs from. To collect from multiple regions, use a commaseparated list, which is shown in the following example: region1,region2 |
AWS Service |
The name of the Amazon Web Service. From the AWS Service list, select CloudWatch Logs. |
Log Group |
The name of the log group in Amazon CloudWatch that you want to collect logs from. Tip:
A single log source can collect CloudWatch logs from only one log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group. |
Log Stream (Optional) |
The name of the log stream within a log group that you want to collect logs from. |
Filter Pattern (Optional) |
Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specify are collected from CloudWatch Logs. If you enter ACCEPT as the Filter Pattern value, only events that contain the word ACCEPT are collected. The following example shows the effect of the ACCEPT value: {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0} |
Extract Original Event |
CloudWatch Logs wrap events that they receive with extra metadata. If you want only the original event that was added to the CloudWatch logs to be forwarded to JSA, select this option. The original event is the value for the message key that is extracted from the CloudWatch Logs. The following CloudWatch logs event example shows the original event that is extracted from the CloudWatch log in bold text: {LogStreamName: guardDutyLogStream,Timestamp: 1519849569827,Message: {"version": "0", "id": "00-00", "detail-type": "GuardDuty Finding", "account": "1234567890", "region": "us-west-2", "resources": [], "detail": {"schemaVersion": "2.0", "accountId": "1234567890", "region": "uswest- 2", "partition": "aws", "type": "Behavior:IAMUser/InstanceLaunchUnusual", "severity": 5.0, "createdAt": "2018-02-28T20:22:26.344Z", "updatedAt": "2018-02-28T20:22:26.344Z"}},IngestionTime: 1519849569862,EventId: 0000} |
Use As A Gateway Log Source |
When you select this option, the collected events flow through the JSA Traffic Analysis engine and JSA automatically detects one or more log sources. If the Amazon AWS S3 bucket is dedicated only to AWS Kubernetes events, do not select this checkbox. If the Amazon AWS S3 bucket contains data from multiple AWS sources, you must select this checkbox. |
Use Proxy |
If JSA accesses the Amazon Web Service by using a proxy, enable this option. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields. |
Automatically Acquire Server Certificates |
If you select Yes from the list, JSA downloads the certificate and begins trusting the target server. This function can be used to initialize a newly created log source and obtain certificates initially, or to replace expired certificates. |
EPS Throttle |
The maximum number of events per second (EPS) that this log source can't exceed. The default is 5000. This value is optional if the Use As A Gateway Log Source is checked. If EPS Throttle is left blank, no limit is imposed by JSA. |
For a complete list of Amazon Web Services protocol parameters and their values, see Amazon AWS S3 REST API Protocol Configuration Options.