Scenario: CloudTrail Logs JSON Ingestion in SOF-ELK
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "107513503799",
"arn": "arn:aws:iam::107513503799:root",
"accountId": "107513503799",
"accessKeyId": "ASIARSCCN4A34LC6MFWG",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-08-26T18:45:20Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-08-26T20:30:05Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "ListDelegatedAdministrators",
"awsRegion": "us-east-1",
"sourceIPAddress": "84.32.71.36",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:iam::107513503799:root is not authorized to perform: organizations:ListDelegatedAdministrators on resource: * because no resource-based policy allows the organizations:ListDelegatedAdministrators action",
"requestParameters": null,
"responseElements": null,
"requestID": "aa322cbd-e252-4aeb-b487-dff760dfe955",
"eventID": "68ae037e-cb86-4174-bc15-b6aadc6f327b",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "107513503799",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
Fields such as errorCode, errorMessage, requestParameters etc. are not populated as fields when I upload the JSON because they are empty in some events but I really want it to populate everything. When I use Splunk and upload the JSON, it populates all the fields. In SOF-ELK what additional configuration should I do and where?
From Splunk when I upload the JSON:
This issue is now fixed in the original repo!