AWS Security Lake Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Amazon Security Lake is a security data lake for aggregating and managing security logs and event data. This input ingests security logs stored in Amazon Security Lake into Graylog.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must have avalid AWS account with Amazon Security Lake enabled.

  • You must be an Amazon Security Lake subscriber with appropriate IAM role access.

Supported Log Types

This input supports collecting the following log types:

Hint: This input currently supports some top-level field parsing of the four event sources below. All other data can be manually parsed from the full_message field.

CloudTrail

  • User activity and API usage in AWS services.

VPC flow logs

  • Details about IP traffic to and from network interfaces in your VPC.

Route 53

  • DNS queries made by resources within your Amazon Virtual Private Cloud (Amazon VPC).

Security Hub findings

  • Amazon Security findings from the Security Hub.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

  1. You must first set up an AWS account and an administrative user.

  2. Verify that the AmazonSecurityLakeMetaStoreManager role is present in AWS Identity and Access Management (IAM), or create the role if necessary.

  3. Assign the AmazonSecurityLakeMetaStoreManager role in AWS Identity and Access Management (IAM) to the user configured for the input.

  4. Create a Subscriber in the Amazon Security Lake Console.

  5. In Logs and events sources, select which data sources you want to enable for the subscriber:

    • All logs and event sources: Gives access to all of the event and log sources.

    • Specific log and event sources: Gives access to only the specific sources you select from the available sources.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • AWS Access Key ID

  • AWS Secret Access Key

  • AWS Security Lake Region

  • SQS Queue Name

See the Amazon Security Lake user guide for more details on the application.

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new input.
AWS Access Key ID The Access Key ID for the IAM user with permission to the subscriber and the SQS queue.
AWS Secret Access Key The unique identifier created for the IAM user.
AWS Security Lake Region The Security Lake region where the subscriber is created.
SQS Queue Name The SQS queue name created by the Security Lake subscriber.
Enable Throttling Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
Store Full Message Permits Graylog to store the raw log data in the full_message field for each log message.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: