Lyve Cloud
Collect S3 API audit log from Lyve Cloud with Elastic Agent.
Version | 1.14.0 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Partner |
Lyve Cloud is your simple, trusted, and efficient on-demand solution for mass-capacity storage.Lyve Cloud is designed to be compatible with Amazon S3.
Lyve Cloud Log Integration
The Lyve Cloud Log Integration offers users a way to collect logs from Lyve Cloud's audit log bucket
When setting up the Lyve Cloud Integration you will need the target bucket name and the secret credentials to access the bucket. You can then visualize that data in Kibana and reference data when troubleshooting an issue.
Using the s3 API audit log information you can identify which events have occurred, when they have occurred and the user who performed the actions.
Setup
Before adding the integration, you must complete the following tasks in the Lyve Cloud console to read the logs that are available in Lyve Cloud bucket:
- Login with an administrator account.
- Create a target bucket to save logs.
- Enable S3 API audit logs.
Configuration
- Click on "Add Lyve Cloud" button on the upper right side of the agent configuration screen to create a policy for an elastic agent.
- Turn on the switch for Collecting logs from lyve cloud, under "Change defaults" fill in the reqired information for ingesting the correct logs access key, secret key, bucket name and endpoint .
- Give A "New agent policy name", click on "Save and continue" and click on "Add to hosts".
- Follow Elastic's instructions to add an agent and you're set to go.
Dashboard and log monitoring
Filter out the Lyve Cloud logs using -
data_stream.dataset:"lyve_cloud.audit"
when creating new dashboard or in other Analytics search fields inside the filter box.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
client.geo.location.lat | Longitude and latitude. | geo_point |
client.geo.location.lon | Longitude and latitude. | geo_point |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Type of Filebeat input. | keyword |
lyve_cloud.audit.auditEntry.api.bucket | Bucket for which the opearion was taken upon. | keyword |
lyve_cloud.audit.auditEntry.api.name | Represents name of the operation. | keyword |
lyve_cloud.audit.auditEntry.api.object | Objects name | keyword |
lyve_cloud.audit.auditEntry.api.status | Represents http status explicitly by string instead of code. | keyword |
lyve_cloud.audit.auditEntry.api.timeToFirstByte | Represents time to first packet to arrive in Nano seconds. | long |
lyve_cloud.audit.auditEntry.api.timeToResponse | Represents time of the response in Nano seconds. | long |
lyve_cloud.audit.auditEntry.requestHeader.X-Forwarded-For | Identifying the originating IP address of a client connecting to a web server through a proxy server. | keyword |
lyve_cloud.audit.auditEntry.requestHeader.X-Forwarded-Host | Identifying the original host requested by the client in the Host HTTP request heade | keyword |
lyve_cloud.audit.auditEntry.requestHeader.X-Forwarded-Port | helps you identify the destination port that the client used to connect to the load balancer | long |
lyve_cloud.audit.auditEntry.requestHeader.X-Real-Ip | Represents http request user's ip. | keyword |
lyve_cloud.audit.auditEntry.responseHeader.Accept-Ranges | Marker used by the server to advertise its support for partial requests from the client for file downloads. | keyword |
lyve_cloud.audit.auditEntry.responseHeader.Last-Modified | Contains a date and time when the resource was last modified | keyword |
lyve_cloud.audit.auditEntry.responseHeader.X-Amz-Bucket-Region | Region of which the operation of the log was taken upon. | keyword |
lyve_cloud.audit.auditEntry.responseHeader.X-Amz-Object-Lock-Mode | Object retention mode | keyword |
lyve_cloud.audit.auditEntry.responseHeader.X-Amz-Server-Side-Encryption | Identifier for the server-side encryption | keyword |
lyve_cloud.audit.auditEntry.responseHeader.object_lock_retain_until_date | Object retention duration | date |
lyve_cloud.audit.auditEntry.responseHeader.x-amz-version-id | The version of the object. When versioning is enabled. | keyword |
lyve_cloud.audit.auditEntry.version | Represents the current version of Audit Log structure. | keyword |
source.geo.location.lat | Longitude and latitude. | geo_point |
source.geo.location.lon | Longitude and latitude. | geo_point |
An example event for audit
looks as following:
{
"@timestamp": "2022-10-20T12:52:42.974Z",
"cloud": {
"provider": "lyvecloud"
},
"ecs": {
"version": "8.11.0"
},
"event": {
"original": "{\"auditEntry\": {\"api\": {\"name\": \"GetBucketLocation\", \"bucket\": \"user-name-t10\", \"status\": \"OK\", \"statusCode\": 200, \"timeToResponse\": \"27121602ns\", \"timeToFirstByte\": \"27072750ns\"}, \"time\": \"2022-10-20T12:52:42.974686686Z\", \"version\": \"1\", \"requestID\": \"171FC8111B3F560B\", \"userAgent\": \"MinIO (linux; amd64) minio-go/v7.0.15\", \"deploymentid\": \"8fe8887f-d1e2-4918-9e33-52bfba3b0de8\", \"requestQuery\": {\"location\": \"\"}, \"requestHeader\": {\"X-Real-Ip\": \"10.213.135.144:28911\", \"User-Agent\": \"aws-cli/2.7.7 Python/3.9.11 Linux/5.15.0-52-generic exe/x86_64.ubuntu.20 prompt/off command/s3api.head-object\", \"X-Amz-Date\": \"20221024T083808Z\", \"Authorization\": \"AWS4-HMAC-SHA256 Credential=<redacted>/20221024/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<redacted>\", \"Accept-Encoding\": \"identity\", \"X-Forwarded-For\": \"1.128.0.0, 10.213.135.144\", \"X-Forwarded-Host\": \"s3.us-east-1.lyvecloud.seagate.com\", \"X-Forwarded-Proto\": \"https\", \"X-Amz-Content-Sha256\": \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}, \"responseHeader\": {\"ETag\": \"b1946ac92492d2347c6235b4d2611184\", \"Vary\": \"Origin\", \"Content-Type\": \"application/octet-stream\", \"Accept-Ranges\": \"bytes\", \"Last-Modified\": \"Sun, 23 Oct 2022 12:51:23 GMT\", \"Content-Length\": \"6\", \"X-Amz-Request-Id\": \"1720F4788755136D\", \"X-Xss-Protection\": \"1; mode=block\", \"x-amz-version-id\": \"ab44978d-0929-4c3a-8d52-17157c1fb6ad\", \"X-Amz-Bucket-Region\": \"us-east-1\", \"X-Amz-Object-Lock-Mode\": \"COMPLIANCE\", \"Content-Security-Policy\": \"block-all-mixed-content\", \"X-Amz-Server-Side-Encryption\": \"AES256\", \"X-Amz-Object-Lock-Retain-Until-Date\": \"2022-10-27T12:51:23.250Z\"}}, \"serviceAccountName\": \"user-name-terraform\", \"serviceAccountCreatorId\": \"name.last@company.com\"}"
},
"http": {
"response": {
"body": {
"bytes": 6
},
"mime_type": "application/octet-stream",
"status_code": 200
}
},
"log": {
"file": {
"path": "https://s3.us-east-1.lyvecloud.seagate.com/logss001/October-2022/S3-2022-20-10-14-09-31.gz"
}
},
"lyve_cloud": {
"audit": {
"auditEntry": {
"api": {
"bucket": "user-name-t10",
"name": "GetBucketLocation",
"status": "OK",
"timeToFirstByte": 27072750,
"timeToResponse": 27121602
},
"requestHeader": {
"X-Forwarded-For": "1.128.0.0, 10.213.135.144",
"X-Forwarded-Host": "s3.us-east-1.lyvecloud.seagate.com",
"X-Real-Ip": "10.213.135.144:28911"
},
"responseHeader": {
"Accept-Ranges": "bytes",
"Last-Modified": "Sun, 23 Oct 2022 12:51:23 GMT",
"X-Amz-Bucket-Region": "us-east-1",
"X-Amz-Object-Lock-Mode": "COMPLIANCE",
"X-Amz-Server-Side-Encryption": "AES256",
"object_lock_retain_until_date": "2022-10-27T12:51:23.250Z",
"x-amz-version-id": "ab44978d-0929-4c3a-8d52-17157c1fb6ad"
},
"version": "1"
}
}
},
"related": {
"ip": [
"1.128.0.0",
"10.213.135.144"
],
"user": [
"user-name-terraform"
]
},
"tags": [
"preserve_original_event"
],
"user": {
"email": "name.last@company.com",
"id": "name.last@company.com",
"name": "user-name-terraform"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "MinIO (linux; amd64) minio-go/v7.0.15"
}
}
Changelog
Version | Details | Kibana version(s) |
---|---|---|
1.14.0 | Enhancement View pull request | 8.13.0 or higher |
1.13.0 | Enhancement View pull request | 8.12.0 or higher |
1.12.1 | Enhancement View pull request | 8.5.0 or higher |
1.12.0 | Enhancement View pull request | 8.5.0 or higher |
1.11.0 | Enhancement View pull request | 8.5.0 or higher |
1.10.0 | Enhancement View pull request | 8.5.0 or higher |
1.9.0 | Enhancement View pull request | 8.5.0 or higher |
1.8.0 | Bug fix View pull request | 8.5.0 or higher |
1.7.0 | Enhancement View pull request | 8.5.0 or higher |
1.6.0 | Enhancement View pull request | 8.5.0 or higher |
1.5.0 | Enhancement View pull request | 8.5.0 or higher |
1.4.0 | Enhancement View pull request | 8.5.0 or higher |
1.3.0 | Enhancement View pull request | 8.5.0 or higher |
1.2.0 | Enhancement View pull request | 8.5.0 or higher |
1.1.0 | Enhancement View pull request | 8.5.0 or higher |
1.0.2 | Enhancement View pull request | 8.5.0 or higher |
1.0.1 | Enhancement View pull request | 8.5.0 or higher |
1.0.0 | Enhancement View pull request | 8.5.0 or higher |