search

aws-samples / siem-on-amazon-opensearch-service

A solution for collecting, correlating and visualizing multiple types of logs to help investigate security incidents.
MIT No Attribution
573 stars 189 forks source link

Update FAQ to include: How can I configure the OpenSearch SIEM solution to ingest logs from a custom S3 bucket? #434

Closed sunilabi-asea2 closed 6 months ago

sunilabi-asea2 commented 7 months ago

created by @sunilabi 2/20/2024

Issue #, How can I configure the OpenSearch SIEM solution to ingest logs from a custom S3 bucket?:

The OpenSearch SIEM solution is designed to ingest logs from the default S3 bucket locations. However, it is possible to configure it to ingest from other custom S3 buckets as well.

  1. Identify the Lambda function responsible for loading logs from S3 to Elasticsearch - This is usually called aes-siem-es-loader
  2. Update the S3 bucket policy to allow the Lambda execution role to access the custom bucket(s).
  3. Configure S3 Event Notifications on the custom bucket(s) to trigger the Lambda function on new log files.
  4. Deploy the Lambda code changes. New logs in the custom buckets should now be ingested into OpenSearch.
  5. Verify in the OpenSearch management console or Kibana that the custom logs are being indexed as expected

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.