Support AWS logs with cloudwatch input

[kaiyan-sheng]

Update: This is done in aws package version 1.10.0 and promoted to production. Kibana version limitation is: >=.15.0 or >= 8.0.0.

In aws package, we have several data streams that collect logs from AWS services. These data streams are currently only supporting aws-s3 input. This issue is to add support for aws-cloudwatch input so users can decide if they want service logs to send to S3 bucket w/o SQS notification setup or simply send them to a CloudWatch log group.

• cloudtrail
• cloudwatch_logs
• ec2_logs
• elb_logs
• s3access
• vpcflow
• WAF
• Network Firewall

I want to summarize all the log data streams we have in AWS package here with the supported inputs:

Data Stream Names	aws-s3 input	aws-cloudwatch input	httpjson input
cloudtrail	Y	Y(enabled: false)	Y(enabled: false)
cloudwatch_logs	Y(enabled: false)	Y	N
ec2_logs	Y(enabled: false)	Y	N
elb_logs	Y	Y(enabled: false)	N
s3access	Y	N	N
vpcflow	Y(enabled: false)	Y	N
WAF	Y	Y(enabled: false)	N
Network Firewall	Y	Y(enabled: false)	N

Note: (enabled: false) means in Kibana when adding the integration, this option/toggle is not enabled by default.

[jamiehynds]

@kaiyan-sheng we just added an AWS WAF integration, could we add it to your list? @taylor-swanson is also working on an AWS Network Firewall integration which should be considered too.

[kaiyan-sheng]

Yes @jamiehynds absolutely! I just added AWS WAF onto the list. I will ping you for review when it's ready. Thanks!

[jamiehynds]

Thanks @kaiyan-sheng! Here's the PR for Network Firewall, not merged yet - #2199

[kaiyan-sheng]

@ravikesarwani @Udayel I created a table listing all the inputs used for each log data stream in the issue description. Could you take a look at the table and we can discuss if the default input I chose makes sense or not. Thank you!!

[ravikesarwani]

Thanks @kaiyan-sheng. Great work putting together this list. I reviewed each of the AWS services and the default.
For the following services I was thinking for us to further review.

elb_logs:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
I was thinking we probably should have S3 as the default for this.

WAF log:
https://docs.aws.amazon.com/waf/latest/developerguide/logging-destinations.html
Is there specific reason we are choosing S3 as the default? I would have thought to put CloudWatch logs as the default.
It has direct support for CloudWatch logs, S3 & Kinesis.

I think in many of these it's actually the users choice (and may change over time as AWS adds new support) and as long as we have both options for the users we will be in great shape.

[kaiyan-sheng]

@ravikesarwani Agree, let's add cloudwatch input and follow the table in this issue's description box to set the default for now. We can always change it later easily. I also talked to the security team earlier before the holidays and the decision is to keep s3 input as default for WAF and network Firewall for now.

[ravikesarwani]

@kaiyan-sheng Why do we have "release-pending" label on this?
Can we remove that and maybe add the AWS package version it's available in production and dependency of the Kibana version. Thanks!