Amazon Security Lake is a security data lake for aggregating and managing security logs and event data.
This integration ingests security logs stored in Amazon Security Lake into Graylog Amazon Security Lake. See the Amazon Security Lake user guide for more details on the application.
To use the AWS Security Lake Input, users must have a valid AWS account with Amazon Security Lake enabled and an Amazon Security Lake subscriber with appropriate IAM role access. See the Amazon Security Lake documentation for more information. Your Graylog installation will then poll your AWS Security Lake data and ingest new logs into Graylog on a specified interval.
Security Lake Setup
Create the AmazonSecurityLakeMetaStoreManager role in AWS Identity and Access Management (IAM).
Create a Subscriber in Amazon Security Lake Console.
In Logs and events sources, you can select which data sources you want to enable for the subscriber. Below are the two options:
All logs and event sources: Gives access to all of the event and log sources.
Specific log and event sources: Gives access to only the specific sources you select from the available sources.
Graylog Input Configuration
A unique name for your new input.
AWS Access Key Id
The Access Key ID for the IAM user with permission to the subscriber and the SQS queue.
AWS Secret Access Key
The unique identifier created for the IAM user.
Security Lake Region
The Security Lake region where the subscriber is created.
SQS Queue Name
The SQS queue name created by the Security Lake subscriber.
Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
Store Full Message
Permits Graylog to store the raw log data in the
full_messagefield for each log message.Warning: Selection can result in a significant increase in the amount of data stored.
Supported Logs and Event Sources
This input currently supports some top-level field parsing of the four event sources below. All other data can be manually parsed from the
User activity and API usage in AWS services.
VPC flow logs
Details about IP traffic to and from network interfaces in your VPC.
DNS queries made by resources within your Amazon Virtual Private Cloud (Amazon VPC).
Security Hub findings
Amazon Security findings from the Security Hub.