You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Monitoring/ingest_nas_audit_logs_into_cloudwatch/README.md
+28-27Lines changed: 28 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -82,33 +82,34 @@ and `DeleteNetworkInterface` actions. The correct resource line is `arn:aws:ec2:
82
82
1. Click on the `Next` button.
83
83
1. The next page will provide all the configuration parameters you can provide:
84
84
85
-
|Parameter|Required|Description|
86
-
|---|---|--|
87
-
|Stack Name|Yes|The name of the CloudFormation stack. This can be anything, but since it is used as a suffix for some of the resources it creates, keep it under 40 characters.|
88
-
|volumeName|Yes|This is the name of the volume that will contain the audit logs. This should be the same on all SVMs on all the FSx for ONTAP file systems you want to ingest the audit logs from.|
89
-
|checkInterval|Yes|The interval in minutes that the Lambda function will check for new audit logs. You should set this to match the rotate frequency you have set for your audit logs.|
90
-
|logGroupName|Yes|The name of the CloudWatch log group to ingest the audit logs into. This should have already been created based on your business requirements.|
91
-
|subNetIds|Yes|Select the subnets that you want the Lambda function to run in. Any subnet selected must have connectivity to all the FSxN file system management endpoints that you want to gather audit logs from.|
92
-
|lambdaSecruityGroupsIds|Yes|Select the security groups that you want the Lambda function associated with. The security group must allow outbound traffic on TCP port 443. Inbound rules don't matter since the Lambda function is not accessible from a network.|
93
-
|s3BucketName|Yes|The name of the S3 bucket where the stats file is stored. This bucket must already exist.|
94
-
|s3BucketRegion|Yes|The region of the S3 bucket resides.|
95
-
|secretArn|Yes|The ARN to the secret that contains the credentials for the FSxN file systems that you want to ingest audit logs from.|
96
-
|createWatchdogAlarm|No|If set to `true` it will create a CloudWatch alarm that will alert you if the Lambda function throws in error.|
97
-
|snsTopicArn|No|The ARN of the SNS topic to send the alarm to. This is required if `createWatchdogAlarm` is set to `true`.|
98
-
|lambdaRoleArn|No|The ARN of the role that the Lambda function will use. If not provided, the CloudFormation script will create a role for you.|
99
-
|schedulreRoleArn|No|The ARN of the role that the EventBridge scheduler will run as. If not provided, the CloudFormation script will create a role for you.|
100
-
|createFsxEndpoint|No|If set to `true` it will create the VPC endpoints for the FSx service|
101
-
|createCloudWatchLogsEndpoint|No|If set to `true` it will create the VPC endpoints for the CloudWatch Logs service|
102
-
|createSecretsManagerEndpoint|No|If set to `true` it will create the VPC endpoints for the Secrets Manager service|
103
-
|createS3Endpoint|No|If set to `true` it will create the VPC endpoints for the S3 service|
104
-
|routeTableIds|No|If creating an S3 gateway endpoint, these are the routing tables you want updated to use the endpoint.|
105
-
|vpcId|No|This is the VPC that the endpoint(s) will be created in. Only needed if you are creating an endpoint.|
106
-
|endpointSecurityGroupIds|No|The security group that the endpoint(s) will be associated with. Only needed if you are creating an endpoint.|
107
-
1. Click on the `Next` button.
108
-
1. The next page will provide for some additional configuration options. You can leave these as the default values. At the bottom of the page, there is a checkbox that you must check to allow the CloudFormation script to create the necessary IAM roles and policies. Note that if you have provided the ARN to the two required roles, then the CloudFormation script will not create any roles.
109
-
1. Click on the `Next` button.
110
-
1. The next page will provide a summary of the configuration you have provided. Review it to ensure it is correct.
111
-
1. Click on the `Create stack` button.
85
+
|Parameter|Required|Description|
86
+
|---|---|--|
87
+
|Stack Name|Yes|The name of the CloudFormation stack. This can be anything, but since it is used as a suffix for some of the resources it creates, keep it under 40 characters.|
88
+
|volumeName|Yes|This is the name of the volume that will contain the audit logs. This should be the same on all SVMs on all the FSx for ONTAP file systems you want to ingest the audit logs from.|
89
+
|checkInterval|Yes|The interval in minutes that the Lambda function will check for new audit logs. You should set this to match the rotate frequency you have set for your audit logs.|
90
+
|logGroupName|Yes|The name of the CloudWatch log group to ingest the audit logs into. This should have already been created based on your business requirements.|
91
+
|subNetIds|Yes|Select the subnets that you want the Lambda function to run in. Any subnet selected must have connectivity to all the FSxN file system management endpoints that you want to gather audit logs from.|
92
+
|lambdaSecruityGroupsIds|Yes|Select the security groups that you want the Lambda function associated with. The security group must allow outbound traffic on TCP port 443. Inbound rules don't matter since the Lambda function is not accessible from a network.|
93
+
|s3BucketName|Yes|The name of the S3 bucket where the stats file is stored. This bucket must already exist.|
94
+
|s3BucketRegion|Yes|The region of the S3 bucket resides.|
95
+
|secretArn|Yes|The ARN to the secret that contains the credentials for the FSxN file systems that you want to ingest audit logs from.|
96
+
|createWatchdogAlarm|No|If set to `true` it will create a CloudWatch alarm that will alert you if the Lambda function throws in error.|
97
+
|snsTopicArn|No|The ARN of the SNS topic to send the alarm to. This is required if `createWatchdogAlarm` is set to `true`.|
98
+
|lambdaRoleArn|No|The ARN of the role that the Lambda function will use. If not provided, the CloudFormation script will create a role for you.|
99
+
|schedulreRoleArn|No|The ARN of the role that the EventBridge scheduler will run as. If not provided, the CloudFormation script will create a role for you.|
100
+
|createFsxEndpoint|No|If set to `true` it will create the VPC endpoints for the FSx service|
101
+
|createCloudWatchLogsEndpoint|No|If set to `true` it will create the VPC endpoints for the CloudWatch Logs service|
102
+
|createSecretsManagerEndpoint|No|If set to `true` it will create the VPC endpoints for the Secrets Manager service|
103
+
|createS3Endpoint|No|If set to `true` it will create the VPC endpoints for the S3 service|
104
+
|routeTableIds|No|If creating an S3 gateway endpoint, these are the routing tables you want updated to use the endpoint.|
105
+
|vpcId|No|This is the VPC that the endpoint(s) will be created in. Only needed if you are creating an endpoint.|
106
+
|endpointSecurityGroupIds|No|The security group that the endpoint(s) will be associated with. Only needed if you are creating an endpoint.|
107
+
108
+
6. Click on the `Next` button.
109
+
7. The next page will provide for some additional configuration options. You can leave these as the default values. At the bottom of the page, there is a checkbox that you must check to allow the CloudFormation script to create the necessary IAM roles and policies. Note that if you have provided the ARN to the two required roles, then the CloudFormation script will not create any roles.
110
+
8. Click on the `Next` button.
111
+
9. The next page will provide a summary of the configuration you have provided. Review it to ensure it is correct.
112
+
10. Click on the `Create stack` button.
112
113
113
114
## After deployment tasks
114
115
### Confirm that the Lambda function is ingesting audit logs.
0 commit comments