Logging is here!

AWS CloudTrail

Crawler Crawler
cloudtrail event

Overview

AWS CloudTrail provides an audit trail for your AWS account. Datadog reads this audit trail and creates events you can search for in your stream and use for correlation on your dashboards. Here is an example of a CloudTrail event:

For information about the rest of the AWS services, see the AWS tile

Setup

Installation

If you haven’t already, set up the Amazon Web Services integration first.

Metric collection

  1. Add those permissions to your Datadog IAM policy in order to collect Amazon Cloudtrail metrics:

    • cloudtrail:DescribeTrails: Used to list trails and find in which s3 bucket they store the trails
    • cloudtrail:GetTrailStatus: Used to skip inactive trails

    For more information on CloudTrail policies, review the documentation on the AWS website. CloudTrail also requires some s3 permissions to access the trails. These are required on the CloudTrail bucket only:

    • s3:ListBucket: List objects in the CloudTrail bucket to get available trails
    • s3:GetBucketLocation: Get bucket’s region to download trails
    • s3:GetObject: Fetch available trails

    For more information on Cloudtrail policies, review the documentation on the AWS website.

    You should put this policy section alongside your main Datadog AWS policy, and it should be set up like this:

    {
      "Sid": "AWSDatadogPermissionsForCloudtrail",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<ARN_CREATED_WHEN_SETTING_UP_THE_AWS_INTEGRATION>"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::<YOUR_S3_CLOUDTRAIL_BUCKET_NAME>",
        "arn:aws:s3:::<YOUR_S3_CLOUDTRAIL_BUCKET_NAME>/*"
      ]
    }

    Note: The principal ARN has to be the one created at step 3 when configuring AWS integration.

  2. Install the Datadog - AWS Cloudtrail integration: The accounts you configured in the Amazon Web Services tile are shown here and you can choose what kinds of events are collected by Datadog. If you would like to see other events that are not mentioned here, please reach out to our support team.

Log collection

Enable Cloudtrail Logging

When you define your Trails, select a s3 bucket to write the logs in:

Cloudtrail logging

Send Logs to Datadog

  1. If you haven’t already, set up the Datadog log collection AWS Lambda function.
  2. Once the lambda function is installed, manually add a trigger on the S3 bucket that contains your Cloudfront logs in the AWS console, in your Lambda, click on S3 in the trigger list:
    S3 trigger configuration
    Configure your trigger by choosing the S3 bucket that contains your ELB logs and change the event type to Object Created (All) then click on the add button.
    S3 Lambda trigger configuration

Once done, go in your Datadog Log section to start exploring your logs!

Data Collected

Metrics

The AWS Cloudtrail integration does not include any metric at this time.

Events

The AWS Cloudtrail integration does not include any event at this time.

Service Checks

The AWS Cloudtrail integration does not include any service check at this time.

Troubleshooting

I don’t see a CloudTrail tile or there are no accounts listed

You need to first configure the Amazon Web Services tile. Once you complete this, the CloudTrail tile will be available and configurable.