This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
I have recently onboarded AWS cloud trail logs via S3 mechanism , however due to some issues we were asked to see if we can onboard the same logs via SQS mechanism , can some one tell me whether the logs ingested in both this way will be identical or will there be changes , if yes then what kind of changes ?
To further clarify, while S3 and SQS offer different ingestion mechanisms, the underlying parsing of AWS CloudTrail logs should both utilize the dedicated AWS_CLOUDTRAIL parser so you shouldn't see a difference in how the data is parsed.
Keep in mind that SQS ingestion is used to point SecOps to objects in S3. This allows near realtime ingestion of logs in S3. So in your scenario, same logs in same buckets, but SQS will guide SecOps to retrieve particular files once they're written, rather than needing to scan the bucket each time. Details on this collection mechanism is here: https://cloud.google.com/chronicle/docs/reference/feed-management-api#amazon_sqs
To further clarify, while S3 and SQS offer different ingestion mechanisms, the underlying parsing of AWS CloudTrail logs should both utilize the dedicated AWS_CLOUDTRAIL parser so you shouldn't see a difference in how the data is parsed.
LinkedIn
Twitter
