AWS Security Lake Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Amazon Security Lake is a security data lake for aggregating and managing security logs and event data. This input ingests security logs stored in Amazon Security Lake into Graylog.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

You must have a valid AWS account with Amazon Security Lake enabled.

Supported Log Types

This input supports collecting the following log types:

Hint: This input currently supports some top-level field parsing of the four event sources below. All other data can be manually parsed from the full_message field.

CloudTrail

User activity and API usage in AWS services.

VPC flow logs

Details about IP traffic to and from network interfaces in your VPC.

Route 53

DNS queries made by resources within your Amazon Virtual Private Cloud (Amazon VPC).

Security Hub findings

Amazon Security findings from the Security Hub.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

Before configuring the Graylog Amazon Security Lake input, you must create a Security Lake subscriber in your AWS environment. AWS recommends creating subscribers through the Amazon Security Lake console. This process automatically provisions the required Identity and Access Management (IAM) roles and permissions for subscriber data access.

For detailed instructions on creating a subscriber and configuring subscriber data access, see the AWS documentation.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

AWS Security Lake Region
SQS Queue Name

See the Amazon Security Lake user guide for more details on the application.

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

AWS Security Lake Content Pack

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option	Description
Input Name	Provide a unique name for your new input.
AWS Authentication Type	Select either to allow the system automatically looks for credentials using the AWS default credential provider chain or provide AWS Access and Secret Keys.
AWS assume role (ARN)	The ARN of the IAM role that Graylog will assume to access the SQS queue and S3 bucket. AWS recommends using IAM roles with temporary credentials instead of long-term static access keys. This option is preferred and supports cross-account access.
AWS access key (optional)	The access key ID associated with an IAM user. Use this field only if role-based authentication is not feasible. AWS recommends relying on IAM roles with temporary credentials rather than long-term access keys.
AWS secret key (optional)	The secret access key associated with the IAM user’s access key. Use this field only if role-based authentication is not feasible.
Security Lake Region	The Security Lake region where the subscriber is created.
SQS Queue Name	The SQS queue name created by the Security Lake subscriber.
Store Full Message	Permits Graylog to store the raw log data in the full_message field for each log message.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.