To configure Log Manager for AWS S3, you must perform the tasks outlined in this document.
Before you set up S3 collection, you must log into the AWS console and create an IAM policy and role to provide Alert Logic with cross-account access to your AWS account.
Policy creation requires a policy document. Download and open this policy document, and then replace <S3BUCKET_NAME> with the name of the S3 bucket.
To create a cross-account access role:
- In the AWS Console, click IAM, located under Security, Identity & Compliance.
- From the IAM Management Console, click Policies, and then click Create Policy.
- Click the JSON tab.
- Copy and paste the contents of your policy document into the JSON window.
- Click Review policy.
- On the Review Policy page, type a Policy Name and Description for the policy.
- Click Create policy.
- From the IAM Management Console, click Roles, and then click Create role.
- On the Create role page, click Another AWS account.
- Enter the following information for Alert Logic:
- Account ID—Type 239734009475
- Select Require external ID.
- External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
- Require MFA—make sure the option is not selected.
- Click Next: Permissions.
- Select the policy you created above, and then click Next: Review.
- Type a Role Name and Role description, and then click Create Role.
- In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Alert Logic console.
To create a S3 collection policy:
- Access the Log Management Policies page and click the S3 tab.
- Click the Add icon ().
- In the Name field, enter a name for the new S3 policy.
- In Policy Template, select Customized.
- In Multiline Handling, select a multiline handling option:
- If all of your flat file log messages contain a single line, select File contains single line log messages.
- If all of your flat file log messages don't contain a single line, select File contains log messages with multiple lines. Also, select and enter a configuration:
- If the lengths of your log messages are consistent, select Each log message spans a fixed number of lines and then type the number of lines in Number of lines,.
- If the lengths of your log messages are not consistent, select Each log message follows a known pattern, select the appropriate Pattern application, type the Pattern that takes place in the log message, and then select Regular expression to use a Perl Compatible Regular Expression (PCRE).
Select a Timestamp Rule option:
- To use the timestamp from the collector, select Set message time as collect time.
- To use an existing timestamp, select Parse times from messages using a pre-defined timestamp format, and then select a format from Format a date string.
- To use a custom timestamp, select Parse times from messages using a custom timestamp format, and then enter a format for the date string in the expanded configuration area. In the Check Format field, type a format for the date string, and follow the on screen instructions.
- Click Save.
To create an AWS S3 collection source:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the Manual Deployments tile.
- In the left navigation area, click Hosts and Sources.
- Click the Sources tab.
- Click the Add icon ().
- From Source Log Type, select S3.
- In Source Name, type a descriptive name.
- Keep the Enable Collection switch set to Enabled (to the right).
- In Bucket, type the bucket name, followed by the directory name. This bucket name must use a DNS-compliant name. For more information, visit the AWS documentation site.
- In File Name or Pattern, type the file name or date pattern of the file log.
- In Collection Policy:
- To use an existing policy, select Use an existing Policy, and then select a policy.
- To create a new policy, select Create New Policy and select the settings you want. For more information, see Create a S3 collection policy.
- In Collection Alerts, click the field and select one or more alert options.
- From Time Zone, select a time zone.
- Select or create a new IAM Role.
- To use an existing IAM Role, select Use an existing IAM Role. Next, in Existing IAM Role, select the IAM Role to use.
- To create a new IAM Role, select Create a new IAM Role, and then complete the missing fields:
- In Credential Name, enter a descriptive name.
- In Role ID, enter the Role ARN you previously copied.
- In External ID, enter the external ID you previously used.
- In Collection Internal, type a value, in minutes, to indicate how often Log Manager retrieves S3 logs.
- In the Tags field, type an easily filtered tag.
- Click Save.