AWS CloudTrail monitoring integration

Access to this feature depends on your subscription level. Requires Infrastructure Pro.

New Relic Infrastructure integrations include an integration for reporting your AWS CloudTrail events to New Relic products. This document explains how to activate this integration and describes the data that can be reported.

Features

This integration collects information from AWS CloudTrail, which captures and records AWS account activity, mainly for audit and governance purposes.

New Relic's AWS CloudTrail integration collects events that represent errors and AWS console logins. Errors give you awareness about API calls and services that have failed, and console logins help you monitor console activity and potential intrusion attempts.

Besides these two types of data, New Relic does not collect any other data. This is because other AWS CloudTrail data is already reported by New Relic in the form of inventory change events.

Activate integration

To enable this integration:

  1. Make sure you have installed the Infrastructure agent before you activate AWS integrations from your Infrastructure account.
  2. Follow standard procedures to Connect AWS services to Infrastructure.

Configuration and polling

You can change the polling frequency and filter data using configuration options.

Default polling information for the AWS CloudTrail integration:

  • New Relic polling interval: 5 minutes

Find and use data

To find your integration data in Infrastructure, go to infrastructure.newrelic.com > Integrations > Amazon Web Services and select one of the AWS CloudTrail integration links.

This integration does not provide metric or inventory data: only event data. You can use Infrastructure's Events page to view a timeline of these events.

In New Relic Insights, data is attached to the InfrastructureEvent event type, with a provider value of CloudTrail.

For general information about how to find and use integration data, see Understand integration data.

Event attributes

Here are attributes that can be reported with CloudTrail events:

Metadata Description
awsRegion The AWS region the request was made of.
cloudTrailEventType

Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, ConsoleSignin.

errorCode

The AWS service error (if the request returns an error). For a list of the most common errors, see the AWS CloudTrail documentation.

errorMessage If the request returns an error, the description of the error.
eventId The unique identifier of the event.
eventName

The requested action.

eventSource

The AWS service the request was made of.

sourceIpAddress The IP address from which the request was made.
userAgent The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI.
userName The user name or role name of the requester that called the API in the event returned.

Insights query examples

You can use New Relic Insights to run queries of AWS CloudTrail data, and optionally use New Relic Alerts to set alerts on that data.

Query example: Count of failed API calls

Query for a count of failed API calls, aggregated by the AWS service that the request was made to:

SELECT count(*) from InfrastructureEvent WHERE provider = 'CloudTrail' 
    AND cloudTrailEventType = 'AwsApiCall' 
    FACET eventSource
Query example: Count of console login errors

Query to find all console login errors:

SELECT * from InfrastructureEvent WHERE provider = 'CloudTrail' 
    AND cloudTrailEventType = 'AwsConsoleSignIn' 
    AND errorMessage IS NOT NULL

For more help

Recommendations for learning more: