Documentation Center
AlienVault® USM Anywhere™

Creating a New AWS S3 Access Collection Job

  Role Availability   Read-Only   Analyst   Manager

Before you can create a new AWS S3 Access collection job, you must have previously enabled S3 Access Logging in your AWS environment. For more information about these logs, see S3 Access Logs.

Note: In AWS, you must enable S3 Access Logging in every S3 bucket that you want to monitor.

To create a new S3 Access Collection Job

  1. Go to SETTINGS > SCHEDULER.
  2. In the left navigation list, click Log Collection.

    Note: You can use the Sensor filter at the top of the list to choose your AWS sensor to easily review the current AWS log jobs.

  3. Click Create Log Collection Job.

    Click Create Log Collection Job to add a scheduled log collection job

    Note: If you recently deployed a new Sensor, it can take 10 to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the AWS log collection jobs you want before the system collects the log data.

  4. Enter the Name and Description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

  5. In the Select App option, select Amazon Web Services.
  6. In the App Action option, select Monitor S3 Bucket.

    Select the AWS sensor, Amazon Web Services app, and the Monitor S3 Bucket action

  7. Enter the Bucket Name and Path.

    The bucket name is simply the name of the S3 bucket as configured in your AWS account, such as DevBucket.

    The path is the path prefix within the S3 Bucket, such as AWSLOGS/3987783. This does not include the bucket name.

  8. In Source Format, select either of the following log formats:

    • syslog — Standard format for transmitting log data to USM Anywhere
    • raw — Not applicable

    Specify the bucket name, path, and source format for the S3 logs

  9. (Raw source only) From the Plugin Name list, select the plugin that corresponds to the incoming data.
  10. Set the Schedule to specify when USM Anywhere runs the job.

    First, choose the increment as Hour, Day, Week, Month, or Year. Next, set the interval options for the increment. The selected increment determines the available options.

    For example, on a weekly increment you can select the days of the week to run the job.

    Set the schedule for the job to run each week

    Or, on a monthly increment you can specify a date or a day of the week that occurs within the month.

    Set the schedule for the job to run each month

    To finish, set the Start time. This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (default is UTC).

  11. Click Save.
  12. In the AWS console, restart the AWS sensor instance so that it detects the new configuration.