AWS Security Lake Input

Amazon Security Lake is a security data lake for aggregating and managing security logs and event data.

This integration ingests security logs stored in Amazon Security Lake into Graylog. See the Amazon Security Lake user guide for more details on the application.

Prerequisites

To use the AWS Security Lake Input, users must have a valid AWS account with Amazon Security Lake enabled and an Amazon Security Lake subscriber with appropriate IAM role access. See the Amazon Security Lake documentation for more information. Your Graylog installation will then poll your AWS Security Lake data and ingest new logs into Graylog on a specified interval.

Security Lake Setup

  1. Create the AmazonSecurityLakeMetaStoreManager role in AWS Identity and Access Management (IAM).

  2. Create a Subscriber in Amazon Security Lake Console.

  3. In Logs and events sources, select which data sources you want to enable for the subscriber. Below are the two options:

  • All logs and event sources: Gives access to all of the event and log sources.

  • Specific log and event sources: Gives access to only the specific sources you select from the available sources.

Graylog Input Configuration

Input Name

  • A unique name for your new input.

AWS Access Key Id

  • The Access Key ID for the IAM user with permission to the subscriber and the SQS queue.

AWS Secret Access Key

  • The unique identifier created for the IAM user.

Security Lake Region

  • The Security Lake region where the subscriber is created.

SQS Queue Name

  • The SQS queue name created by the Security Lake subscriber.

Enable Throttling

  • Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.

Store Full Message

  • Permits Graylog to store the raw log data in the full_message field for each log message.

    Warning: Selection can result in a significant increase in the amount of data stored.

Supported Logs and Event Sources

This input currently supports some top-level field parsing of the four event sources below. All other data can be manually parsed from the full_message field.

CloudTrail

  • User activity and API usage in AWS services.

VPC flow logs

  • Details about IP traffic to and from network interfaces in your VPC.

Route 53

  • DNS queries made by resources within your Amazon Virtual Private Cloud (Amazon VPC).

Security Hub findings

  • Amazon Security findings from the Security Hub.