scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Step 1: Configure ECS to publish logs to CloudWatch
  • Step 2: Set up CloudWatch to push to Kinesis Data Firehose
  • Step 3: Configure the Kinesis Data Firehose to write logs to S3
  • Step 4: Link the S3 bucket to Scanner
  • Step 5: Set up an S3 Import Rule in Scanner

Was this helpful?

  1. Log Data Sources
  2. List
  3. AWS

AWS ECS

PreviousAWS CloudWatchNextAWS EKS

Last updated 7 months ago

Was this helpful?

Scanner supports AWS ECS logs, which are logs generated by your containers running in ECS.

In order for Scanner to see your ECS logs, you can configure ECS to publish logs to CloudWatch, then configure the CloudWatch log groups to forward data to a Kinesis Data Firehose, which can then write the logs into an S3 bucket that Scanner is linked to.

Step 1: Configure ECS to publish logs to CloudWatch

You can follow AWS documentation to publish your ECS logs to one or more CloudWatch log groups. See: .

Step 2: Set up CloudWatch to push to Kinesis Data Firehose

You can follow the AWS documentation to configure your CloudWatch log groups to push their logs to a Kinesis Data Firehose. See: .

Step 3: Configure the Kinesis Data Firehose to write logs to S3

A Kinesis Data Firehose can push logs to various destinations. We want to push to an S3 bucket that Scanner is linked to. You can follow the AWS documentation to configure the Firehose to write to an S3 bucket. See: .

Step 4: Link the S3 bucket to Scanner

If you haven't done so already, link the S3 bucket containing your ECS logs to Scanner using the Linking AWS Accounts guide.

Step 5: Set up an S3 Import Rule in Scanner

  1. Within Scanner, navigate to Settings > S3 Import Rules.

  2. Click Create Rule.

  3. For Rule name, type a name like my_team_name_aws_ecs_logs.

  4. For Destination Index, choose the index where you want these logs to be searchable in Scanner.

  5. For Status, set to Active if you want to start indexing the data immediately.

  6. For Source Type, we recommend aws:ecs, but you are free to choose any name. However, out-of-the-box detection rules will expect aws:ecs.

  7. For AWS Account, choose the account that contains the S3 bucket containing your ECS logs.

  8. For S3 Bucket, choose the S3 bucket containing your ECS logs.

  9. For S3 Key Prefix, type the prefix (i.e. directory path) of the S3 objects that your Firehose is writing.

  10. For File type, choose CloudWatchLogStream with Gzip compression.

  11. For Timestamp extractors, under Column name, type timestamp. This is the field in each log event that contains the timestamp information.

  12. Click Preview rule to try it out. Check that the S3 keys you expect are appearing, and check that the log events inside are being parsed properly with the timestamp detected properly.

  13. When you're ready, click Create.

Send Amazon ECS logs to CloudWatch
Send CloudWatch Logs to Firehose
Understand data delivery in Amazon Data Firehose