I echo his comments below pretty much the exact same use case I have.
On Monday, July 27, 2015 at 5:45:43 AM UTC-4, Fabio Douek wrote:
>
> Hi Jochen,
>
> Thanks for the feedback. Sure, I can give a few use cases, I think most of
> them are related to the plugin not consuming responseParameters and
> responseElements
>
> 1) Identify if the a AWS Console authentication was successful or not.
> Current situation: At the moment, I can see in Graylog: ConsoleLogin
> event, timestamp, username. However, I don't know if the authentication was
> successful or not
>
> What we would additionally need: responseParameters element, specifically:
> ConsoleLogin param.
> e.g:
>
> "responseElements":{*"ConsoleLogin":"Success"*},"additionalEventData":{"LoginTo":"https://us-west-2.console.aws.amazon.com/console/home?region\u003dus-west-2\u0026state\u003dhashArgs%23\u0026isauthcode\u003dtrue
>
> <https://us-west-2.console.aws.amazon.com/console/home?region%5Cu003dus-west-2%5Cu0026state%5Cu003dhashArgs%23%5Cu0026isauthcode%5Cu003dtrue>","MobileVersion":"No","MFAUsed":"Yes"}
>
> 2) Launching an Instance - RunInstances event
> Current situation: At the moment, I can see in Graylog all the
> requestParameters, which is great. However, I also want to capture the
> created instance-id (so I can correlate further events with that instance),
> and also the PrivateIPAddress. These details are under the responseElements
>
> e.g: (Just the beginning of the snippet)
>
> "responseElements": {
> "reservationId": "r-xxxxxxxx",
> "ownerId": "XXXXXXXX",
> "groupSet": {},
> "instancesSet": {
> "items": [
> {
> "instanceId": "i-xxxxxxxx",
> "imageId": "ami-xxxxxxxx",
> "instanceState": {
> "code": 0,
> "name": "pending"
> },
> "privateDnsName":
> "ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal",
> "keyName": "XXXXX",
> "amiLaunchIndex": 0,
> "productCodes": {},
> "instanceType": "r3.large",
> "launchTime": 1437984427000,
> "placement": {
> "availabilityZone": "us-west-2b",
> "tenancy": "default"
> },
> "monitoring": {
> "state": "disabled"
> },
> "subnetId": "subnet-xxxxxxxx",
> "vpcId": "vpc-xxxxxxxx",
> "privateIpAddress": "xxx.xxx.xxx.xx",
>
>
>
>
> On Mon, Jul 27, 2015 at 6:17 PM, Jochen Schalanda <[email protected]
> <javascript:>> wrote:
>
>> Hi,
>>
>> the AWS input plugin was more of a proof of concept in the first
>> implementation.
>>
>> Could you, Preston and Fabio, please elaborate on some of you use cases
>> with the plugin and which functionality is specifically missing?
>>
>>
>> Cheers,
>> Jochen
>>
>> On Sunday, 26 July 2015 13:08:21 UTC+2, Fabio Douek wrote:
>>>
>>> Hi Preston,
>>>
>>> I didn't get any update on this. I agree, at the moment the plugin is
>>> useless without capturing responseElements.
>>> I was planning to adopt the usage of Graylog, mostly because of the
>>> Cloudtrail plugin.
>>> Looking to move into other option, as the plugin is not mature enough,
>>> which is a shame because the graylog team did a great job, and would
>>> probably take very little to extend the plugin to capture all the
>>> Cloudtrail details.
>>>
>>> Regards,
>>> Fabio.
>>>
>>> On Friday, July 24, 2015 at 5:33:30 PM UTC+10, Preston Rodriguez wrote:
>>>>
>>>> No update on this? The plugin is pretty useless without this data
>>>>
>>>> On Tuesday, March 3, 2015 at 12:10:17 PM UTC-5, Fabio Douek wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm evaluating Cloud trail plugin for graylog2. Everything is working
>>>>> fine, but it seems that is not importing responseElements cloudtrail
>>>>> object. Is this the case?
>>>>>
>>>>> How can I add to import this? That's essential for an auditing
>>>>> solution, as at the moment, if I filter by event_name=ConsoleLogin for
>>>>> example, I can't track failed authentication. The same thing for most of
>>>>> the events.
>>>>>
>>>>> Prob the requestElements could also be handy in some cases...
>>>>>
>>>>> Rubicon Red wins 3 Oracle Excellence Awards for Fusion Middleware
>>>>> <http://www.rubiconred.com/rubicon-red-wins-3-oracle-excellence-awards-fusion-middleware/>
>>>>> <http://www.rubiconred.com>
>>>>> Rubicon Red Privacy Policy
>>>>> <http://www.rubiconred.com/privacy-policy-2/>
>>>>>
>>>>>
>
>
> --
>
> Fabio Douek
>
> Product Architect
>
> FusionCloud
>
> Rubicon Red
>
>
>
> M +61 404 361 446
>
> Rubicon Red wins 3 Oracle Excellence Awards for Fusion Middleware
> <http://www.rubiconred.com/rubicon-red-wins-3-oracle-excellence-awards-fusion-middleware/>
> <http://www.rubiconred.com>
> Rubicon Red Privacy Policy <http://www.rubiconred.com/privacy-policy-2/>
>
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
