By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Multiple Cloudtrail logs into centralized Cloudwatch log account

0

How do I go about getting multiple cloudtrails into a single logging account in cloudwatch? I was thinking maybe kinesis with CW subscription filter? Or is there another way.

Topics
Management & GovernanceAnalyticsInternet of Things (IoT)Security, Identity, & Compliance
Tags
Amazon CloudWatchAWS CloudTrailAmazon KinesisIAM Policies
Language
English
rePost-User-4136916
asked a year ago949 views
5 Answers
0

While there are many ways to achieve this, one approach is well documented here - https://aws.amazon.com/solutions/implementations/centralized-logging/.

rpathangi
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago
0

Are you interested in combining multiple CloudTrail trails with CloudWatch logs in a single logging account? If yes, then the above post is a solution. Otherwise, if you just want to consolidate all your CloudTrail trails in a single location (single account), then I'd recommend looking at CloudTrail Lake , a managed data lake that lets organizations aggregate, immutably store, and query events recorded by CloudTrail. It does not require you to create any other CloudTrail trails, S3 buckets, use Athena to log and query events or create data pipelines to move your CloudTrail events to a central location.

The key component of a CloudTrail Lake is an event data store. Once set up, you may immediately query CloudTrail events in the event data store (or multiple event data stores) using SQL-based queries with the built-in Query editor. Also, as with CloudTrail trails, you may choose to log management and/or data events in an event data store with further selection of sources for data events (so that you may log only desired data and optimize costs). You may also copy existing CloudTrail trails into an event data store.

With CloudTrail Lake and AWS Organizations, you may enable CloudTrail event logging across all member accounts in one or more regions to a single account (management account or delegated account like a Security account).

AWS
gsatur
answered a year ago
0

Yes, it would be all the cloudtrails from sub-accounts into one account cloudwatch. So looking at the link, looks like the subscription filter would be the way to go?

The environment is for a landing zone accelerator deployment.

rePost-User-4136916
answered a year ago
0

If the sub-accounts are under the same ORG; I could configure a ORG cloudtrail, but then would I be able to send all those logs into cloudwatch in another account?

rePost-User-4136916
answered a year ago
0

Delegated administration of CloudTrail to the destination member account in the AWS Organization should help. Refer https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator.html

AWS
gsatur
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content