The CloudTrail Matano managed log source lets you ingest your AWS CloudTrail logs directly into Matano.
Use the managed log source by specifying the
managed.type property in your
Then create tables for each of the Cloudtrail log types you want to ingest, under a
tables/ subdirectory for your log source. For example, if you want to ingest Cloudtrail (default) and Cloudtrail Insights logs, create table files like so:
For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.
The AWS CloudTrail managed log source supports the following tables:
- A table is created for actual CloudTrail logs.
- CloudTrail digest files are transformed into a separate Matano table.
- CloudTrail insights logs are processed into a Matano table.
Matano automatically ingests data in your CloudTrail bucket into the corresponding table (e.g. cloudtrail_insights, cloudtrail).
For a log source named
aws_cloudtrail, a file under the path
/AWSLogs/249463413804/CloudTrail-Digest/us-east-1/2022/10/15/249463413804_CloudTrail-Digest_us-east-1_cheeseiad_us-east-1_20221015T195315Z.json.gz will be routed to the
Path scheme to table:
- else -> default
CloudTrail data is normalized to ECS fields. Custom fields are normalized into the
aws field. You can view the complete mapping to see the full schema.