I have an S3 bucket with a couple years worth of Cloudtrail logs. How can I onboard just the last 3 months of logs into Chronicle? According to
https://cloud.google.com/chronicle/docs/ingestion/ingest-aws-logs-into-chronicle
it seems I can append
{{datetime(yyyy/MM/dd)}}
to the url so that Chronicle would scan logs each time only for a particular day suggesting I can make it start ingesting from this point forward but I'd like some history.
How can I onboard just the last 3 months of logs from my S3 bucket into Chronicle?
+1
+4- Bronze 3
Unfortunately, Chronicle does not support (To my knowledge) ingesting from a bucket from a specific point of time, at this time.
It appears your S3 information is drilling down to the object folder name A workaround to that would be to take the 3 months of logs from a bucket and place them into a new bucket. Then ingest from that bucket. If you wanted to keep ingesting, then I would recommend making this new bucket the new destination for all current and future logs. If you do this, the order of operations would probably have to be:
- Create new bucket
- Start logging to new bucket
- Copy 3 month old logs to new bucket
- Create feed and ingest to chronicle.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.