AWS Log Discovery and Collection in USM Anywhere

Amazon Web Services (AWS) customers have access to service-specific log files to gain insight into how each AWS service is operating. In addition, applications running in AWS also generate various log files in different formats. With a deployed AWS Sensor, USM Anywhere can collect both logs from AWS, but the procedures are slightly different:

  • Use a predefined scheduler job

    USM Anywhere automatically discovers the AWS CloudTrail logs, the Amazon Simple Storage Service (S3) access logs, and some Amazon CloudWatch logs when they are enabled within your AWS account. There are predefined scheduler jobs in USM Anywhere to collect these logs but they are disabled by default. Go to Settings > Scheduler > Log Collection for the full list. You need to enable each job based on which log you want to collect. See Collect AWS CloudTrail Logs on an AWS Sensor, Collect Amazon S3 Access Logs and Collect ELB Access Logs for more information.

  • Use a customer-defined scheduler job

    If none of the predefined jobs collect from your log location, you can create a new job under Settings > Scheduler > Log Collection. Depending on where your logs are stored, USM Anywhere provides two ways to collect them:

    • Amazon CloudWatch Logs: If you choose to use Amazon CloudWatch Logs in your AWS environment, USM Anywhere can collect CloudWatch logs directly. See Collect AWS CloudTrail Logs on an AWS Sensor for more information. For example, you can collect the Amazon Virtual Private Cloud (VPC) flow logs using this method.
    • Amazon S3 bucket: If you choose to store logs in an Amazon S3 bucket instead, USM Anywhere can also collect logs directly from an Amazon S3 bucket. See Collect Other Logs from an Amazon S3 Bucket for more information.