After many conversations with our AWS customers and the AWS CloudTrail team, we recently released our AWS CloudTrail integration to automatically support the most important log events our customers wanted to be monitoring across their AWS environments. We found that some of the most common need for notifications included:

  • Starting, stopping, terminating, rebooting instances
  • Creating or deleting security groups
  • Creating and deleting users
  • Updating user profiles
  • Adding and removing groups
  • Updating role and password policies
  • Signing certificate upload or deletion

Logentries will alert you in real time when any of these events occur so that you can react appropriately. But what do you do if something suspicious actually occurs in your AWS environment? For example, you get notified that a new security group has been created opening up all of your servers’ so that they are accessible from any IP address…or someone has created a new user with admin privileges for example??

You’ll likely want to dig into the logs on your different Ec2 instances to check if anyone has logged in and exactly what they have been up to. To help with investigation at the instance level, today we announced our new Windows Security Event Integration. Logentries will automatically notify you in real time when important events occur in your windows event logs such as when audit logs are cleared; failed user log-ins; changes are made to audit policies and more. For more details on enabling these for your Logentries account check out our integration guide.

We’ve gotten feedback from across our Community, and from specific customers, to identify the relevant events that should be flagged or that you will want to know about when investigating security events in your Windows environment.  Kirill Bensonoff, of ComputerSupport.com outlined the advantages of getting automated AWS CloudTrail and Windows event notifications together: