Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring an Amazon AWS Route 53 Log Source by using the Amazon Web Services Protocol and CloudWatch Logs

To collect AWS Route 53 public DNS query logs or Resolver query logs, or both, from Amazon CloudWatch logs, add a log source on the JSA Console by using the Amazon Web Services protocol.
  1. Create a log group in Amazon CloudWatch Logs to retrieve logs in JSA
    Note:

    For public DNS query logs, the log group must be in the US East (N.Virginia) region.
  2. Configure AWS Route 53 to send logs to a log group in the AWS CloudWatch Logs.
  3. Create an Identity and Access (IAM) user in the AWS Management Console
  4. Configure security credentials for your AWS user account
  5. Amazon Web services log source parameters for Amazon AWS Route 53

Configuring Public DNS Query Logging

Before you can add a log source in JSA, you must configure logging for DNS queries.

  1. Log in to the AWS Management console to open the Route 53 console.
  2. From the Amazon Route 53 navigation pane, select Hosted zones.
  3. Select the relevant hosted zone.
  4. From the Hosted zone details section, click Configure query logging.
  5. Select an existing log group or create a new log group.
    Note:

    The log group must be in the US East (N. Virginia) region.
  6. If you see an alert about permissions, choose one of the following troubleshooting options:

    • If you have 10 resource policies, you reached the limit. Select one of your resource policies and click Edit to allow Route 53 to write logs to your log groups, then click Save and continue to step 7.

    • If this configuration is the first time that you have configured query logging, or if you have less than 10 resource policies, grant permission to Route 53 to write logs to your CloudWatch log groups by selecting Grant permissions, then continue to the next step.

  7. To verify that the resource policy matches the CloudWatch Log log group and if Route 53 has permission to publish logs to CloudWatch, click Permissions - optional.
  8. Click Create.

Configuring Resolver Query Logging

Before you can add a log source in JSA, you must configure Resolver query logging on the AWS Management console.
  1. Log in to your AWS Management console to open the Route 53 console.
  2. From the Route 53 navigation menu, select Resolver > Query logging.
  3. From the region list, select the region where you want to create the query logging configuration.
    Note:

    The region that you select must be the same region where you created the Amazon Virtual Private Clouds (VPCs) that you want to log queries for. If your VPCs are in multiple regions, create at least one query logging configuration for each region.
  4. Click Configure query logging, then type a name for your query logging configuration. Your configuration name displays in the console in the list of query logging configurations.
  5. In the Query logs destination section, select a destination where you want Resolver to publish query logs. JSA supports CloudWatch Logs log group and S3 bucket as destinations for query logs.

    • If you are using the Amazon AWS S3 REST API, select S3 bucket.

    • If you are using the Amazon Web Services protocol, select CloudWatch Logs log group.

  6. To log VPCs, in the VPCs to log queries for section, click Add VPC. DNS queries that originate in the VPCs that you select are logged. If you don't select any VPCs, no queries are logged by Resolver.
  7. Click Configure query logging.

Creating an Identity and Access Management (IAM) User in the AWS Management Console

An Amazon administrator must create a user and then apply the s3:listBucket and s3:getObject permissions to that user in the AWS Management Console. The JSA user can then create a log source in JSA.

The minimum required permissions are s3:listBucket and s3:getObject. You can assign other permissions to the user as needed.

Sample policy:

For more information about permissions that are related to bucket operations, go to the AWS documentation website.

  1. Log in to the AWS Management Console as an administrator.
  2. Click Services.
  3. From the list, select IAM.
  4. Click Users > Add user.
  5. Create an Amazon AWS IAM user and then apply the AmazonS3ReadOnlyAccess policy.

Configuring Security Credentials for your AWS User Account

You must have your AWS user account access key and the secret access key values before you can configure a log source in JSA.

  1. Log in to your IAM console.
  2. Select Users from left navigation pane and then select your user name from the list.
  3. To create the access keys, click the Security Credentials tab, and in the Access Keys section, click Create access key.
  4. Download the CSV file that contains the keys or copy and save the keys.
    Tip:

    Save the Access key ID and Secret access key. You need them when you configure a log source in JSA.

    You can view the Secret access key only when it is created.

Creating a Log Group in Amazon CloudWatch Logs to Retrieve Logs in JSA

You must create a log group in Amazon CloudWatch Logs to make the log available for JSA polling.
  1. Log in to your CloudWatch console.
  2. Select Logs from left navigation pane.
  3. Click Actions > Create Log Group.
  4. Type the name of your log group. For example, CloudTrailAuditLogs.
  5. Click Create log group.

    For more information about working with log groups and log streams, see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html

Amazon Web Services Log Source Parameters for Amazon AWS Route 53

If you want to collect AWS Route 53 logs from Amazon CloudWatch logs, add a log source on the JSA Console by using the Amazon Web Services protocol.

When you use the Amazon Web Services protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect Amazon Web Services events from Amazon AWS Route 53:

Table 1: Amazon Web Services log source parameters for the Amazon AWS Route 53 DSM

Parameter

Value

Log Source type

Amazon AWS Route 53

Protocol Configuration

Amazon Web Services

Authentication Method

Access Key ID/Secret Key

Standard authentication that can be used from anywhere.

EC2 Instance IAM Role

If your JSA managed host is running in an AWS EC2 instance, choosing this option uses the IAM role from the metadata that is assigned to the instance for authentication. No keys are required. This method works only for managed hosts that are running within an AWS EC2 container.

Access Key

The Access Key ID that was generated when you configured the security credentials for your AWS user account.

If you selected Access Key ID / Secret Key or Assume IAM Role, the Access Key parameter is displayed.

Secret Key

The Secret Key that was generated when you configured the security credentials for your AWS user account.

If you selected Access Key ID / Secret Key or Assume IAM Role, the Secret Key parameter is displayed.

Assume an IAM Role

 Enable this option by authenticating with an Access Key or EC2 instance IAM Role. Then, you can temporarily assume an IAM Role for access.

Assume Role ARN

The full ARN of the role to assume. It must begin with "arn:" and can't contain any leading or trailing spaces, or spaces within the ARN.

If you enabled Assume an IAM Role, the Assume Role ARN parameter is displayed.

Assume Role Session Name

The session name of the role to assume. The default is QRadarAWSSession. Leave as the default if you don't need to change it. This parameter can contain only upper and lowercase alphanumeric characters, underscores, or any of the following characters: =,.@-

If you enabled Assume an IAM Role, the Assume Role Session Name parameter is displayed.

Regions

 Toggle each region that is associated with the Amazon Web Service that you want to collect logs from.

AWS Service

 From the AWS Service list, select CloudWatch Logs.

Log Group

The name of the log group in Amazon CloudWatch that you want to collect logs from.

Note:

A single log source collects CloudWatch Logs from one log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group.

Enable CloudWatch Advanced Options

Enable the following optional advanced configuration values; otherwise the default values are used.

Log Stream

(Optional) The name of the log stream within a log group. If you want to collect logs from all log streams within a log group, leave this field blank.

Filter Pattern

(Optional) Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specified are collected from CloudWatch Logs. If you type ACCEPT as the Filter Pattern value, only the events that contain the word ACCEPT are collected, as shown in the following example.

{LogStreamName: LogStreamTest,Timestamp:
0,Message: ACCEPT OK,IngestionTime:
0,EventId: 0}

Event Delay

Delay in seconds for collecting data.

Other Region(s)

Deprecated. Use Regions instead.

Extract Original Event

Forwards only the original event that was added to the CloudWatch Logs.

CloudWatch logs wrap the events that they receive with extra metadata. Select this option if you want to collect only the original event that was sent to AWS without the additional stream metadata through CloudWatch Logs.

The original event is the value for the message key that is extracted from the CloudWatch log. The following CloudWatch Logs event example shows the original event that is extracted from CloudWatch Logs in highlighted text:

{LogStreamName: 123456786_CloudTrail_useast-
2,Timestamp: 1505744407363, Message:
{"eventVersion":"1.05","userIdentity":
{"type":"IAMUser","principalId":"AAAABBBCCCDD
DBBBCCC","arn":"arn:aws:iam::1234567890:user/
<username>","accountId":"1234567890","accessK
eyId":"AAAABBBBCCCCDDDD","userName":"User-
Name","sessionContext":{"attributes":
{"mfaAuthenticated":"false","creationDate":"2
017-09-18T13:22:10Z"}},"invokedBy":"signin.am
azonaws.com"},"eventTime":"2017-09-18T14:10:1
5Z","eventSource":"cloudtrail.amazonaws.com",
"eventName":"DescribeTrails","awsRegion":"useast-
1","sourceIPAddress":"192.0.2.1","userAg
ent":"signin.amazonaws.com","requestParameter
s":
{"includeShadowTrails":false,"trailNameList":
[]},"responseElements":null,"requestID":"11b1
a00-7a7a-11a1-1a11-44a4aaa1a","eventID":"a491
4e00-1111-491d-bbbba0dd3845b302","
eventType":"AwsApiCall","recip
ientAccountId":"1234567890"},IngestionTime:
1505744407506,EventId:
335792223611111122479126672222222513333}

Use As A Gateway Log Source

If you do not want to define a custom log source identifier for events, clear the checkbox.

If you don't select Use As A Gateway Log Source and you don't configure the Log Source Identifier Pattern, JSA receives events as unknown generic log sources.

Log Source Identifier Pattern

If you selected Use As A Gateway Log Source, you can define a custom log source identifier. This option can be defined for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, JSA receives events as unknown generic log sources.

Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier is displayed.

The following examples show multiple key-value pair functions.

Patterns

VPC=\sREJECT\sFAILURE$1=\s(REJECT)\sOKVPC-$1-$2=\s(ACCEPT)\s(OK)

Events

{LogStreamName:LogStreamTest,Timestamp: 0,Message:ACCEPT OK,IngestionTime: 0,EventId:0}

Resulting custom log source identifier

VPC-ACCEPT-OK

Use Proxy

If JSA accesses the Amazon Web Service by using a proxy, select this option.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy IP or Hostname field.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

If the Use As A Gateway Log Source option is selected, this value is optional.

If the EPS Throttle parameter value is left blank, no EPS limit is imposed by JSA.

For more information about the Amazon Web Services protocol, see Amazon Web Services Protocol Configuration Options.