AlienVault® USM Anywhere™

AWS Log Discovery and Collection in USM Anywhere

Amazon Web Services (AWS) customers have access to service-specific log files to gain insight into how each AWS service is operating. In addition, applications running in AWS also generate various log files in different formats. With a deployed AWS sensor, USM Anywhere can collect both logs from AWS, but the procedures are slightly different:

  • Use a predefined scheduler job

    USM Anywhere automatically discovers the AWS CloudTrail logs and the Amazon Simple Storage Service (S3) access logs when you have enabled them within your AWS account. There are predefined scheduler jobs in USM Anywhere to collect these logs but they are disabled by default. You need to enable them based on which log you want to collect. See Collecting AWS CloudTrail Logs, Collecting Amazon S3 Access Logs and Collecting ELB Access Logs for details.

  • Use a customer-defined scheduler job

    USM Anywhere provides two ways to collect logs from applications running in your AWS environment:

    • Amazon CloudWatch Logs: If you choose to use Amazon CloudWatch Logs in your AWS environment, USM Anywhere can collect CloudWatch logs directly. See Collecting Amazon CloudWatch Logs for details. For example, you can collect the Amazon Virtual Private Cloud (VPC) flow logs using this method.
    • Amazon S3 bucket: If you choose to store logs in an Amazon S3 bucket instead, USM Anywhere can also collect logs directly from an Amazon S3 bucket. See Collecting Other Logs from an Amazon S3 Bucket for details.