Hi
I have recently onboarded AWS cloud trail logs via S3 mechanism , however due to some issues we were asked to see if we can onboard the same logs via SQS mechanism , can some one tell me whether the logs ingested in both this way will be identical or will there be changes , if yes then what kind of changes ?
Keep in mind that SQS ingestion is used to point SecOps to objects in S3. This allows near realtime ingestion of logs in S3. So in your scenario, same logs in same buckets, but SQS will guide SecOps to retrieve particular files once they're written, rather than needing to scan the bucket each time. Details on this collection mechanism is here: https://cloud.google.com/chronicle/docs/reference/feed-management-api#amazon_sqs
-mike
To further clarify, while S3 and SQS offer different ingestion mechanisms, the underlying parsing of AWS CloudTrail logs should both utilize the dedicated AWS_CLOUDTRAIL parser so you shouldn't see a difference in how the data is parsed.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.