If you want to collect AWS CloudTrail logs from Amazon Kinesis Data Streams, configure a
log source on the QRadar
Console so that
Amazon AWS CloudTrail can communicate with QRadar by using the Amazon Web
Services protocol.
Procedure
-
Follow the procedures in the AWS online documentation Sending Events to CloudWatch Logs
(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html)
to configure CloudTrail to deliver the logs in a log group of the AWS CloudWatch Logs.
- Create CloudWatch Logs destinations and a CloudWatch Logs subscription filter.
- Create a CloudWatch Logs destination that points to a destination Kinesis Data
Stream.
Only one CloudWatch Logs destination is required per region and the destination Kinesis Data
Stream can be in any region.
- Create a CloudWatch Logs subscription filter with a blank filter pattern to subscribe
the destination to the CloudWatch Logs log group and match all events.
The subscription filter is now associated with a Cloud Watch Logs log group
that contains AWS CloudTrail logs, and delivers those logs to a Kineses Data
Stream.
-
Add an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and
Kinesis Data Streams.