- Tested versions: 3.1.3
- Developed by Elastic
- Supported Guardium versions:
- Guardium Data Protection: 11.4 and above
- Guardium Insights: 3.2
This is a Logstash input plug-in for the universal connector that is featured in IBM Security Guardium. It pulls events from the SQS from the Amazon Web Services. The events are then sent over to corresponding filter plugin which transforms these audit logs into a Guardium record instance (which is a standard structure made out of several parts). The information is then sent over to Guardium. Guardium records include the accessor (the person who tried to access the data), the session, data, and exceptions. If there are no errors, the data contains details about the query "construct". The construct details the main action (verb) and collections (objects) involved.
This plug-in pulls events from an Amazon Web Services Simple Queue Service (SQS) queue.
SQS is a simple, scalable queue system that is part of the Amazon Web Services suite of tools.
Note: If the machine on which Guardium Data Protection is installed displays an incorrect time, update the time according to your location and restart the UC by disabling and then enabling it.
Procedure
- Go to https://console.aws.amazon.com/
- Click Services
- Search for SQS and click on Simple Queue Services
- Click Create Queue.
- Select the type as Standard.
- Enter the name for the queue.
- Keep the rest of the default settings.
-
Have an AWS account.
-
Set up an SQS queue as mentioned previously.
-
Create an identity that has access to consume messages from the queue.
-
The "consumer" identity must have the following permissions on the queue:
sqs:ChangeMessageVisibility
sqs:ChangeMessageVisibilityBatch
sqs:DeleteMessage
sqs:DeleteMessageBatch
sqs:GetQueueAttributes
sqs:GetQueueUrl
sqs:ListQueues
sqs:ReceiveMessage
-
Create a user and apply the below IAM Policy to the user.
{
"Statement": [
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"sqs:ReceiveMessage"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sqs:us-east-1:123456789012:Logstash"
]
}
]
}
| Parameter | Input Type | Required | Default |
|---|---|---|---|
| access_key_id | String | No | |
| secret_access_key | String | No | |
| polling_frequency | Number | No | 20 |
| queue | String | Yes | |
| region | String | No | |
| role_arn | string | No |
The access_key_id setting allows to set the access key ID for the user that has access to SQS. This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:
1. Static configuration, using access_key_id and secret_access_key params in logstash plugin config.
2. External credentials file specified by an aws_credentials_file.
3. Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
4. Environment variables AMAZON_ACCESS_KEY_ID and AMAZON_SECRET_ACCESS_KEY.
5. IAM Instance Profile (available when running inside EC2).
The secret_access_key setting defines the AWS Secret Access Key.
The polling_frequency setting defines the frequency for the queue to be polled.
The queue setting specifies the name of the SQS queue to pull messages from. Note that this is just the name of the queue, not the URL or ARN.
The region setting defines the region where the SQS is present.
The role_arn setting allows you to specify which AWS IAM Role to assume, if any. This is used to generate temporary credentials, typically for cross-account access. To understand more about the settings to be followed while using this parameter, click here
Other standard logstash parameters are available, such as:
add_fieldtypetags
input {
sqs {
access_key_id => "<access key id>"
secret_access_key => "<access secret key>"
queue => "<queue name>"
region => "<region where SQS is created>"
}
}
- Log in to the Guardium collector's API.
- Issue these commands: • grdapi add_domain_to_universal_connector_allowed_domains domain=amazonaws.com • grdapi add_domain_to_universal_connector_allowed_domains domain=amazon.com