Hi Jochen,
Thanks for the feedback. Sure, I can give a few use cases, I think most of
them are related to the plugin not consuming responseParameters and
responseElements
1) Identify if the a AWS Console authentication was successful or not.
Current situation: At the moment, I can see in Graylog: ConsoleLogin event,
timestamp, username. However, I don't know if the authentication was
successful or not
What we would additionally need: responseParameters element, specifically:
ConsoleLogin param.
e.g:
"responseElements":{*"ConsoleLogin":"Success"*},"additionalEventData":{"LoginTo":"https://us-west-2.console.aws.amazon.com/console/home?region\u003dus-west-2\u0026state\u003dhashArgs%23\u0026isauthcode\u003dtrue","MobileVersion":"No","MFAUsed":"Yes"}
2) Launching an Instance - RunInstances event
Current situation: At the moment, I can see in Graylog all the
requestParameters, which is great. However, I also want to capture the
created instance-id (so I can correlate further events with that instance),
and also the PrivateIPAddress. These details are under the responseElements
e.g: (Just the beginning of the snippet)
"responseElements": {
"reservationId": "r-xxxxxxxx",
"ownerId": "XXXXXXXX",
"groupSet": {},
"instancesSet": {
"items": [
{
"instanceId": "i-xxxxxxxx",
"imageId": "ami-xxxxxxxx",
"instanceState": {
"code": 0,
"name": "pending"
},
"privateDnsName":
"ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal",
"keyName": "XXXXX",
"amiLaunchIndex": 0,
"productCodes": {},
"instanceType": "r3.large",
"launchTime": 1437984427000,
"placement": {
"availabilityZone": "us-west-2b",
"tenancy": "default"
},
"monitoring": {
"state": "disabled"
},
"subnetId": "subnet-xxxxxxxx",
"vpcId": "vpc-xxxxxxxx",
"privateIpAddress": "xxx.xxx.xxx.xx",
On Mon, Jul 27, 2015 at 6:17 PM, Jochen Schalanda <[email protected]>
wrote:
> Hi,
>
> the AWS input plugin was more of a proof of concept in the first
> implementation.
>
> Could you, Preston and Fabio, please elaborate on some of you use cases
> with the plugin and which functionality is specifically missing?
>
>
> Cheers,
> Jochen
>
> On Sunday, 26 July 2015 13:08:21 UTC+2, Fabio Douek wrote:
>>
>> Hi Preston,
>>
>> I didn't get any update on this. I agree, at the moment the plugin is
>> useless without capturing responseElements.
>> I was planning to adopt the usage of Graylog, mostly because of the
>> Cloudtrail plugin.
>> Looking to move into other option, as the plugin is not mature enough,
>> which is a shame because the graylog team did a great job, and would
>> probably take very little to extend the plugin to capture all the
>> Cloudtrail details.
>>
>> Regards,
>> Fabio.
>>
>> On Friday, July 24, 2015 at 5:33:30 PM UTC+10, Preston Rodriguez wrote:
>>>
>>> No update on this? The plugin is pretty useless without this data
>>>
>>> On Tuesday, March 3, 2015 at 12:10:17 PM UTC-5, Fabio Douek wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm evaluating Cloud trail plugin for graylog2. Everything is working
>>>> fine, but it seems that is not importing responseElements cloudtrail
>>>> object. Is this the case?
>>>>
>>>> How can I add to import this? That's essential for an auditing
>>>> solution, as at the moment, if I filter by event_name=ConsoleLogin for
>>>> example, I can't track failed authentication. The same thing for most of
>>>> the events.
>>>>
>>>> Prob the requestElements could also be handy in some cases...
>>>>
>>>> Rubicon Red wins 3 Oracle Excellence Awards for Fusion Middleware
>>>> <http://www.rubiconred.com/rubicon-red-wins-3-oracle-excellence-awards-fusion-middleware/>
>>>> <http://www.rubiconred.com>
>>>> Rubicon Red Privacy Policy
>>>> <http://www.rubiconred.com/privacy-policy-2/>
>>>>
>>>>
--
Fabio Douek
Product Architect
FusionCloud
Rubicon Red
M +61 404 361 446
--
Rubicon Red wins 3 Oracle Excellence Awards for Fusion Middleware
<http://www.rubiconred.com/rubicon-red-wins-3-oracle-excellence-awards-fusion-middleware/>
<http://www.rubiconred.com>
Rubicon Red Privacy Policy <http://www.rubiconred.com/privacy-policy-2/>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
