Documentation Center
AlienVault® USM Anywhere™

Amazon ELB Access

When you configure Amazon Elastic Load Balancer (ELB) Access to send log data to an S3 bucket and create a log collection job in USM Anywhere, you can use the ELB Access plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Amazon
Device type Load balancer
Connection type Syslog
Vendor link http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html

ELB Access Integration

To configure ELB Access to send log data to USM Anywhere

  1. Create an S3 bucket:

    1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
    2. Choose Create Bucket.
    3. On the Create a Bucket page, do the following:

      • For Bucket Name, enter a name for your bucket.
      • For Region, select the region where you created your load balancer.
      • Choose Create.
  2. Attach a policy statement to your bucket:

    1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

    2. Select the bucket, and then choose Properties.

    3. For Permissions, choose Add bucket policy.

    4. On the Bucket Policy Editor page, choose AWS Policy Generator.

    5. On the AWS Policy Generator page, do the following:

      1. For Select Type of Policy, select S3 Bucket Policy.

      2. For Effect, select Allow to allow access to the S3 bucket.

      3. For Principal, type the account ID for Elastic Load Balancing to grant Elastic Load Balancing access to the S3 bucket.

        Use the account ID that corresponds to the region for your load balancer and bucket.

      4. For Actions, select PutObject to allow Elastic Load Balancing to store objects in the S3 bucket.

      5. For Amazon Resource Name (ARN), type the ARN of the S3 bucket in the following format:

        arn:aws:s3:::bucket/prefix/AWSLogs/aws-account-id/*

      6. Choose Add Statement, Generate Policy.

      7. Copy the policy displayed in the Policy JSON Document page, and then choose Close.

    6. Return to the Bucket Policy Editor page and paste the policy into the text area.

    7. Choose Save to save the policy. If Save is not enabled, press Enter.

    8. For Permissions, choose Save to attach the policy to your bucket.

  3. Enable Access Logs:

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

    3. Select your load balancer.

    4. On the Description tab, for Access logs, choose (Edit).

    5. On the Configure Access Logs page, do the following:

      1. Select Enable access logs.

      2. Set the interval (default = 60 minutes).

      3. For S3 location, type the name of your S3 bucket, including the prefix.

      4. Choose Save.

Plugin Enablement

To schedule a log collection job for an S3 bucket

  1. Go to SETTINGS > SCHEDULER.
  2. In the left navigation list, click Log Collection.

    Note: You can use the Sensor filter at the top of the list to choose your AWS sensor to easily review the current AWS log jobs.

  3. Click Create Log Collection Job.

    Click Create Log Collection Job to add a scheduled log collection job

    Note: If you recently deployed a new Sensor, it can take 10 to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the AWS log collection jobs you want before the system collects the log data.

  4. Enter the Name and Description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

  5. In the Select App option, select Amazon Web Services.
  6. In the App Action option, select Monitor S3 Bucket.

  7. Enter the Bucket Name and Path.

    The bucket name is simply the name of the S3 bucket as configured in your AWS account, such as alienvault-dev-tools in the example below.

    The path is the path prefix within the S3 Bucket, such as monitoring/builds in our example. This does not include the bucket name.

  8. In Source Format option, select raw.

  9. In Plugin option, select ELBAccess.

  10. Set the Schedule options.
  11. Click Save.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • application_protocol
  • bytes_in
  • bytes_out
  • customfield_0 → Request Processing Time
  • customfield_1 → Backend Processing Time
  • customfield_2 → Response Processing Time
  • customfield_3 → Load Balancer Status Code
  • destination_address
  • destination_port
  • event_action
  • event_description
  • event_name
  • plugin_device
  • plugin_device_version
  • protocol_version
  • rep_device_hostname
  • request_method
  • request_url
  • request_user_agent
  • response_code
  • source_address
  • source_address_6
  • source_port
  • tls_cipher
  • tls_version

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-troubleshooting.html