|Protocol||Information Discovered||Metrics Collected||Used For|
|AWS API||Permitted traffic||Log analysis|
In ADMIN > Device Support > Event Types, search for "aws elb" to see the event types associated with this device.
There are no specific rules available for AWS ELB.
In RESOURCES > Reports, search for "aws elb" in the main content panel Search... field to see the reports associated with this device.
Follow the steps here to complete your setup in AWS.
Take the following steps to enable Elastic Load Balancing Access Logs.
- Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- On the navigation pane, under LOAD BALANCING, select Load Balancers.
- Select your load balancer.
- On the Description tab, select Configure Access Logs.
- On the Configure Access Logs page, take the following steps:
- Select Enable access logs.
- Leave Interval as the default (60 minutes).
- At S3 location, enter the name of your S3 bucket, including the prefix, for example,
my-loadbalancer-logs/my-app. You can specify the name of an existing bucket or a name for a new bucket.
- (Optional) If the bucket does not exist, select Create this location for me. You must specify a name that is unique across all existing bucket names in Amazon S3 and follows the DNS naming conventions. For more information, see Bucket naming rules in the Amazon Simple Storage Service Guide.
- Click Save.
Take the following steps to enable Event Notifications.
- Go to the Amazon S3 console at https://s3.console.aws.amazon.com/s3/.
- Select your bucket.
- Click Properties.
- Click Event notifications > Create event notification.
- Input Event name and Prefix.
- Select All object create events for Event Types.
- Select SQS queue for Destination.
- Select your SQS.
- Click Save changes.
There are no other servers to use with SQS. This is because the format of the message in SQS coming from other servers may not be the same as that coming from S3 used by the ELB server. For example, a message coming from the Cloudtrail server may not be the same.
Ensure the Message retention period property for SQS is 12 hours.
Ensure the Default visibility timeout property for SQS is 1 day.
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, select Users.
- Click Add user.
- In the User Name field, enter a user name.
- For AWS access type, select Programmatic access.
- Click Next: Permissions.
- Select the Attach existing policies directly tab.
- Select AmazonS3ReadOnlyAccess and AmazonSQSFullAccess.
- Click Next: Tags, then click Next: Review.
- Click Create user.
- Click Download Credentials. The downloaded CSV file contains the Access Key ID and Secret Access Key that will be used in FortiSIEM.
- Click Close.
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.
You can now configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box:
Note: Make sure no other devices use the same credential, otherwise events may appear missing.
Settings Description Name Enter a name for the credential Device Type Amazon AWS ELB Access Protocol AWS_ELB Region The region in which your AWS instance is located Bucket The AWS S3 bucket SQS Queue URL Provide the full URL, for example:
Password Config See Password Configuration. Access Key ID The access key for your EC2 instance Secret Key The secret key for your EC2 instance
Confirm Secret Key
Enter the secret key for validation.
If you provided an access key, you can leave this field blank.
Select an organization from the drop-down list.
Description Description about the device
- In Step 2: Enter IP Range to Credential Associations, click New.
- Enter a host name, an IP, or an IP range in the IP/Host Name field.
- Select the name of your credential from the Credentials drop-down list.
- Click Save.
- Click the Test drop-down list and select Test Connectivity to test the connection to AWS ELB.
- To see the jobs associated with AWS ELB, select ADMIN > Setup > Pull Events.
- To see the received events select ANALYTICS, then enter "ELB" in the search box.
AWS-ELB:phCustId=1,reptDevIpAddr=10.10.103.205,reptDevName=amazon.com,msg=http 2021-02-11T01:56:06.000372Z app/shashi-elb/061d492a88a60fb1 10.10.168.108:46938 - -1 -1 -1 503 - 500 337 "POST http://10.10.29.144:80/boaform/admin/formLogin HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" - - arn:aws:elasticloadbalancing:us-west-2:623885071509:targetgroup/shashi-tg/974fbb8764192573 "Root=1-60248eb5-01950dcf187ac3c244ab2231" "-" "-" 0 2021-02-11T01:56:05.999000Z "forward" "-" "-" "-" "-" "-" "-"