---
id: aws-cloudtrail-source
title: AWS CloudTrail Source
sidebar_label: AWS CloudTrail
description: Add an AWS CloudTrail Source to upload messages to Sumo Logic.
slug: /help/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/
canonical: https://www.sumologic.com/help/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/
---
import useBaseUrl from '@docusaurus/useBaseUrl';
import Iframe from 'react-iframe';
})
AWS CloudTrail records API calls made to AWS. This includes calls made using the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services. Add an AWS CloudTrail Source to upload these messages to Sumo Logic. The AWS CloudTrail Source automatically parses the logs prior to upload.
:::important
You need to know where your CloudTrail log files are stored so you can provide the path to the AWS CloudTrail Source. Refer to AWS Documentation for [finding your CloudTrail log files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html).
:::
:::training Tutorial
:::
import TerraformLink from '../../../reuse/terraform-link.md';
:::tip
You can use Terraform to provide an AWS CloudTrail source with the [`sumologic_cloudtrail_source`](https://registry.terraform.io/providers/SumoLogic/sumologic/latest/docs/resources/cloudtrail_source) resource.
:::
### Configure an AWS CloudTrail Source
1. [Configure CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-a-trail-using-the-console.html) in your AWS account. This will create an S3 bucket for you if you so choose.
1. [Grant Sumo Logic access](grant-access-aws-product.md) to an Amazon S3 bucket created or used above.
1. Confirm that logs are being delivered to the Amazon S3 bucket.
1. [**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic main menu select **Data Management**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**.
1. Select the hosted Collector for which you want to add the Source, and click **Add Source**. To create a new hosted collector, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector).
1. Select **AWS CloudTrail**.
1. The page refreshes.
})
1. **Name**. Enter a name for the source.
1. **Description**. (Optional)
1. **S3 Region**. Choose the AWS Region the S3 bucket resides in.
1. **Bucket Name**. The name of your organizations S3 bucket as it appears in AWS.
1. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
1. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Note that Sumo Logic access to AWS (instructions are provided above in step 1) is a prerequisite for role-based access
* **Role-based access**. Enter the Role ARN that was provided by AWS after creating the role.
})
* **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](https://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access Key](https://aws.amazon.com/iam/) for details.
1. **Log File Discovery -> Scan Interval**. Use the default of 5 minutes. Alternately, enter the frequency. Sumo Logic will scan your S3 bucket for new data. Learn how to configure **Log File Discovery** [here](/docs/send-data/hosted-collectors/amazon-aws/aws-sources).
10. **Enable Timestamp Parsing**. Select the **Extract timestamp information from log file entries** check box.
11. **Time Zone**. Select **Ignore time zone from the log file and instead use**, and select **UTC** from the dropdown.
12. **Timestamp Format.** Select **Automatically detect the format**.
13. **Enable Multiline Processing**. Select the **Detect messages spanning multiple lines** check box, and select **Infer Boundaries**.
1. Click **SAVE**.
1. **Optional:** Install the Sumo Logic App for AWS CloudTrail.
## CloudTrail log objects
CloudTrail log objects are generated by AWS as a single JSON **Records** array containing a series of event objects. The AWS CloudTrail Source automatically applies boundary and timestamp processing rules to pull the individual **event** objects from the CloudTrail **Records** array as separate log messages within Sumo Logic.
The following is an example of an AWS CloudTrail file object:
```json
{
"Records": [
{
"eventVersion": "1.03",
"userIdentity": {
"type": "Root",
"principalId": "XXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXX:root",
"accountId": "XXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2016-04-01T16:09:43Z"
}
}
},
"eventTime": "2016-04-01T16:19:26Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetBucketLocation",
"awsRegion": "us-west-2",
"sourceIPAddress": " 192.168.1.1",
"userAgent": "[S3Console/0.4]",
"requestParameters": {
"bucketName": "example"
},
"responseElements": null,
"requestID": "DE61373E09329981",
"eventID": "d4877d6c-4bf2-4a46-82d5-c8d710905138",
"eventType": "AwsApiCall",
"recipientAccountId": "XXXXXXXXXX"
},
{
"eventVersion": "1.03",
"userIdentity": {
"type": "Root",
"principalId": "XXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXX:root",
"accountId": "XXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2016-04-01T16:09:43Z"
}
}
},
"eventTime": "2016-04-01T16:19:26Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetBucketLocation",
"awsRegion": "us-west-2",
"sourceIPAddress": " 192.168.1.1",
"userAgent": "[S3Console/0.4]",
"requestParameters": {
"bucketName": "example"
},
"responseElements": null,
"requestID": "F1A6B08803D73C5A",
"eventID": "2b4d6eea-ecb8-4853-a1d2-f0b6b931d5bf",
"eventType": "AwsApiCall",
"recipientAccountId": "XXXXXXXXXX"
},
{
"eventVersion": "1.04",
"userIdentity": {
"type": "Root",
"principalId": "XXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXX:root",
"accountId": "XXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2016-04-01T16:09:43Z"
}
}
},
"eventTime": "2016-04-01T16:22:11Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "DescribeTrails",
"awsRegion": "us-west-2",
"sourceIPAddress": "10.1.1.1",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"trailNameList": []
},
"responseElements": null,
"requestID": "e36e19ff-f825-11e5-9015-0336c0231e57",
"eventID": "9b5a6b39-0415-4c88-b7f1-698161bf028b",
"eventType": "AwsApiCall",
"recipientAccountId": "XXXXXXXXXX"
},
{
"eventVersion": "1.04",
"userIdentity": {
"type": "Root",
"principalId": "XXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXX:root",
"accountId": "XXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXX",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2016-04-01T16:09:43Z"
}
}
},
"eventTime": "2016-04-01T16:22:34Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "DescribeTrails",
"awsRegion": "us-west-2",
"sourceIPAddress": "10.1.1.1",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"trailNameList": []
},
"responseElements": null,
"requestID": "f0c79c48-f825-11e5-933d-65f8283355b7",
"eventID": "2f9837ef-f727-45d7-a217-2974d27cb998",
"eventType": "AwsApiCall",
"recipientAccountId": "XXXXXXXXXX"
}
]
}
```
CloudTrail events as seen in Sumo Logic:
})
## AWS Sources
See [AWS Sources](aws-sources.md) for more information.