Before you can create a new AWS S3 Access collection job, you must have previously enabled S3 Access Logging in your AWS environment. For more information about these logs, see S3 Access Logs.
Note: In AWS, you must enable S3 Access Logging in every S3 bucket that you want to monitor.
To create a new S3 Access Collection Job
- Go to SETTINGS > SCHEDULER.
In the left navigation list, click Log Collection.
Note: You can use the Sensor filter at the top of the list to choose your
AWS sensorto easily review the current AWSlog jobs.
Click Create Log Collection Job.
Note: If you recently deployed a new Sensor, it can take 10 to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the
AWSlog collection jobs you want before the system collects the log data.
Enter the Name and Description for the job.
The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.
- In the Select App option, select Amazon Web Services.
In the App Action option, select Monitor S3 Bucket.
Enter the Bucket Name and Path.
The bucket name is simply the name of the S3 bucket as configured in your AWS account, such as DevBucket.
The path is the path prefix within the S3 Bucket, such as AWSLOGS/3987783. This does not include the bucket name.
In Source Format, select either of the following log formats:
- syslog — Standard format for transmitting log data to USM Anywhere
raw — Not applicable
- (Raw source only) From the Plugin Name list, select the plugin that corresponds to the incoming data.
- Set the Schedule to specify when USM Anywhere runs the job.
- Click Save.
- In the AWS console, restart the AWS sensor instance so that it detects the new configuration.
First, choose the increment as Hour, Day, Week, Month, or Year. Next, set the interval options for the increment. The selected increment determines the available options.
For example, on a weekly increment you can select the days of the week to run the job.
Or, on a monthly increment you can specify a date or a day of the week that occurs within the month.
To finish, set the Start time. This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (default is UTC).