Ingesting Logs from S3 Bucket

Copper Contributor

I have an S3 bucket which stores some firewall logs. How do I go about pulling these logs into Sentinel? These are not AWS logs, the service provider is uploading the logs to S3. The native S3 connector seems to be AWS logs only. Do I need to write a script to start pulling these logs and ship them off with a DCR using the AMA?

1 Reply

A few ways to do that, a simple design may look something like this:
1) when firewall logs reach S3 bucket, a pre-defined S3 event notfication will trigger a Lambda function
2) the Lambda function is designed to format the firewall log into CEF format and send it to a syslog server
3) Sentinel can ingest logs from the Syslog server