Ingesting AWS CloudWatch logs into SecOps SIEM

suryanmenon · 02-06-2025 08:56 AM

Is there any documentation or information available on ingesting AWS CloudWatch logs into SecOps? We have documentation available for CloudTrail, but were unable to find any for CloudWatch. Appreciate any advice.

rajukg

I have seen customers sending logs using AWS bucket or using HTTPS Push feed.

suryanmenon

Is there any supporting documentation for the S3 method?

citreno

We don't have cloudwatch yet, but we successfully tested SecurityHub via Amazon Data Firehose and you can read our docs here. I believe you can use a similar method, just send CloudWatch to Firehose via CloudWatch subscription filters

That would be an alternative method to S3. Of course you can use the S3 Export as well, I think this works.

Hope this helps!

suryanmenon

Thank you, let me take a look at the S3 method and get back.

dnehoda

I love that I just searched for some AWS info and found a guide that our partner put together in meticulous detail. Thank you providing this type of collateral to the larger community and please continue to so on any of these "one-off" modules.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Ingesting AWS CloudWatch logs into SecOps SIEM

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps