Configuring an Amazon AWS Route 53 log source by using an S3 bucket with an SQS queue
You can collect AWS Route 53 Resolver query logs from multiple accounts or regions in an Amazon S3 bucket. Configure a log source on the QRadar Console so that Amazon AWS Route 53 can communicate with QRadar by using the Amazon AWS S3 REST API protocol and a Simple Queue Service (SQS) queue.
About this task
- You can use one log source for an S3 bucket, rather than one log source for each region and account.
- There is a reduced chance of missing files because this method uses ObjectCreate notifications to determine when new files are ready.
- It's easy to balance the load across multiple Event Collectors because the SQS queue supports connections from multiple clients.
- Unlike the directory prefix method, the SQS queue method does not require that the file names in the folders be in a string that is sorted in ascending order based on the full path. File names from custom applications don't always conform to this method.
- You can monitor the SQS queue and set up alerts if it gets over a certain number of records. These alerts provide information about whether QRadar is either falling behind or not collecting events.
- You can use IAM Role authentication with SQS, which is Amazon's best practice for security.
- Certificate handling is improved with the SQS method and does not require the downloading of certificates to the Event Collector.
Procedure
- Configure Resolver query logging. In Step 5 of that procedure , select S3 bucket as the destination for query logs.
- Create the SQS queue that is used to receive ObjectCreated notifications.
- Create an Amazon AWS Identity and Access Management (IAM) user and then apply the AmazonS3ReadOnlyAccess policy.
- Configure the security credentials for your AWS user account.
- Amazon AWS S3 REST API log source parameters for Amazon AWS Route 53 when using a SWS queue.