- Newest
- Most votes
- Most comments
Once You enable the Log forwarding, then you can then use the CloudWatch Logs console to retrieve the data from the log group you specified when you enabled the service. Please note that this (these) log group contains the security logs from your domain controllers. "Account Management" holds the "Audit User Account Management" events and if you are adding/deleting/modifying user then the Audit events will be logged under Security events of that specific domain controller and then will be forwarded to cloudwatch under the respective log group > log stream. Just to add here that when you create the Log Group while enabling the log forwarding then it will create the Log group in cloud watch if it is not created already and under that you will find test log stream like "directory-service-test-log-stream" along with other logs stream from domain controllers with names like “IP-Of_DC-SecurityEvents” available in that Directory. If you are adding/modifying user then the security events will be logged in on that domain controller's security events and then forwarded to the respective domain controller's log stream which you can find under logs stream (IP-Of_DC-SecurityEvents ).
Relevant content
- Accepted Answerasked 6 months ago
- asked 7 months ago
AWS OFFICIALUpdated 2 months ago- AWS OFFICIALUpdated 8 months ago
Thanks for the comment. This is what I was expecting. I see "directory-service-test-log-stream" with a single entry "Test from AWS Directory Service" but that's the only log stream that was added even after doing some user management. It's like it got set up but somehow the directory service is not actually sending anything.
The test log entry proves that you setup the cloudwatch resource policy correctly. So this sounds like something is broken on our side. Best solution would be to open a support case so that we can investigate that for you. Alternatively if you can share your directory id (d-xxxxxxxxx) here I can take a look when time permits.