Configure AWS Managed Microsoft Active Directory service to forward specific logs to Cloudwatch

Question

Hello,

I have configured AWS Managed Microsoft AD to forward logs to Cloudwatch, and I am monitoring these logs using a SIEM platform. However, the SIEM platform is only able to pull certain logs from the Cloudwatch, and it stops pulling logs when the Cloudwatch log size increases to a certain size.

I want to know if there is a way to specify the type of logs that are being sent from AWS Managed Microsoft AD to Cloudwatch. I don't want AWS managed Microsoft AD to send all logs to Cloudwatch.

Kindly assist.

Answer

There are no ways to select particular log types in AWS Managed AD. Once the logging is enabled, you get "SecurityEvents" logs, which are separated for every AD node.

One option to reduce log size in CloudWatch is configuring CloudWatch log group retention.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

Log retention – By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention or choosing a retention period between 10 years and one day.

Another option is configuring a Subscription Filter for the CloudWatch log group and filtering logs using Lambda. Choose only what you need, store it in S3, and use this S3 as a target for your SIEM system.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

Configure AWS Managed Microsoft Active Directory service to forward specific logs to Cloudwatch

関連するコンテンツ