Forum Discussion
Loading Cloudfront logs into Sentinel
Hi, I am after suggestions on the best way of loading AWS Cloudfront logs into Microsoft Sentinel. I have the Sentinel AWS connector deployed and it is ingesting Cloudtrail events. The connector do...
looking at some post I found a lot about cloudwatch, but I found something about azure monitor, but I don't know if it's really possible but here's the tip.
if you liked it click like 😄
1. **Enable AWS CloudFront Logging**:
- In your AWS Management Console, enable logging for your CloudFront distribution(s). This will generate CloudFront access logs and store them in an S3 bucket.
2. **Set up an S3 Bucket Policy**:
- Ensure that the S3 bucket where CloudFront logs are stored has the appropriate permissions to allow Azure Monitor to read data from it. You can set up a bucket policy to grant the necessary permissions to the AWS account used by Azure Monitor.
3. **Create an Azure Logic App**:
- In the Azure portal, create a Logic App that will act as an integration between your S3 bucket and Azure Sentinel. The Logic App will be responsible for triggering the log collection process.
4. **Create an Azure Monitor Custom Log Source**:
- In Azure Monitor, create a custom log source to ingest the CloudFront logs. You'll need to define the schema for the log data to be ingested.
5. **Configure the Logic App for Log Collection**:
- Configure the Logic App to be triggered when new objects (CloudFront logs) are added to the S3 bucket. Upon triggering, the Logic App should read the logs from the S3 bucket and send them to the Azure Monitor custom log source.
6. **Ingest CloudFront Logs into Azure Sentinel**:
- The Logic App will push the CloudFront logs to the custom log source in Azure Monitor, which will then be ingested into your Log Analytics workspace.
if you liked it click like 😄
1. **Enable AWS CloudFront Logging**:
- In your AWS Management Console, enable logging for your CloudFront distribution(s). This will generate CloudFront access logs and store them in an S3 bucket.
2. **Set up an S3 Bucket Policy**:
- Ensure that the S3 bucket where CloudFront logs are stored has the appropriate permissions to allow Azure Monitor to read data from it. You can set up a bucket policy to grant the necessary permissions to the AWS account used by Azure Monitor.
3. **Create an Azure Logic App**:
- In the Azure portal, create a Logic App that will act as an integration between your S3 bucket and Azure Sentinel. The Logic App will be responsible for triggering the log collection process.
4. **Create an Azure Monitor Custom Log Source**:
- In Azure Monitor, create a custom log source to ingest the CloudFront logs. You'll need to define the schema for the log data to be ingested.
5. **Configure the Logic App for Log Collection**:
- Configure the Logic App to be triggered when new objects (CloudFront logs) are added to the S3 bucket. Upon triggering, the Logic App should read the logs from the S3 bucket and send them to the Azure Monitor custom log source.
6. **Ingest CloudFront Logs into Azure Sentinel**:
- The Logic App will push the CloudFront logs to the custom log source in Azure Monitor, which will then be ingested into your Log Analytics workspace.
- Please share the link you found about this.
I looked at Logic Apps and couldn't see an easy way to do this. There are connectors to read from AWS S3 and write to Log Analytics. I couldn't see an easy way to translate the data - write to log analytics requires the data be in JSON format.- Did you manage to find a solution? I am starting to explore this now as well.
- Not as of yet.
Passing the logs through Cloudwatch looks to be the easiest way. The Sentinel connector can pick these up natively. My concern with this is that it would bill for ingested data twice.
