Message Image

Cloud Incident Response

Back to discussions

Expand all | Collapse all

AWS EC2 Host based telemetry collection options

Harish HaridasanJun 06, 2021 01:46:00 PM

Hello Cloud Geeks, In my organization, we are building IR procedures for respodning to cloud incidents ...

☁️ Aristide Bouix ☁️Jun 07, 2021 07:34:00 AM

Hi Harish, I've used to do something similar in the past by forwarding most of the /var/log folder ...

1. AWS EC2 Host based telemetry collection options

0 Like
Harish Haridasan
Posted Jun 06, 2021 01:46:00 PM

Reply Reply Privately
Hello Cloud Geeks,

In my organization, we are building IR procedures for respodning to cloud incidents orginating from AWS EC2 compute service. We want to collect adequate telemetry from EC2 hosts running application work loads. The EC2 instances will be predominantly running Linux AMI's.

If any one of you has worked on collecting EC2 telemetry for incident response purposes, please suggest what logs were collected and the logging and telemetry forwarding mechanism used to send the logs to a datalake or SIEM.

Thanks in advance.

------------------------------
Harish Haridasan
Security Product Manager
Booking.com
------------------------------
2. RE: AWS EC2 Host based telemetry collection options

1 Like
☁️ Aristide Bouix ☁️
Posted Jun 07, 2021 07:34:00 AM

Reply Reply Privately
Hi Harish,

I've used to do something similar in the past by forwarding most of the /var/log folder to our SIEM using rsyslog (and figuring out later how to index and visualize it). Below a publication I've released back then:

https://aristidebouix.cloud/en/2018/04/ship-your-applicative-log-files-anywhere/index.html/

--
Met vriendelijke groet,

Aristide Bouix
https://aristidebouix.cloud/

Original Message

Powered by Higher Logic