Collect AWS Elastic MapReduce logs

This document explains how to ingest AWS Elastic MapReduce (EMR) logs to Google Security Operations. AWS EMR is a cloud-native big data platform that processes large amounts of data quickly. Integrating EMR logs into Google SecOps lets you analyze cluster activity and detect potential security threats.

Before You Begin

• Ensure that you have a Google SecOps instance.
• Ensure that you have privileged access to AWS.

Configure Amazon S3 bucket

1. Create an Amazon S3 bucket following this user guide: Creating a bucket
2. Save the bucket Name and Region for later use.
3. Create a user following this user guide: Creating an IAM user.
4. Select the created User.
5. Select the Security credentials tab.
6. Click Create Access Key in the Access Keys section.
7. Select Third-party service as the Use case.
8. Click Next.
9. Optional: add a description tag.
10. Click Create access key.
11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
12. Click Done.
13. Select the Permissions tab.
14. Click Add permissions in the Permissions policies section.
15. Select Add permissions.
16. Select Attach policies directly.
17. Search for and select AmazonS3FullAccess and CloudWatchLogsFullAccess policies.
18. Click Next.
19. Click Add permissions.

Configure AWS EMR to Forward Logs

1. Sign in to the AWS Management Console.
2. In the search bar, type EMR and select Amazon EMR from the services list.
3. Click Clusters.
4. Find and select the EMR cluster for which you want to enable logging.
5. Click Edit on the Cluster details page.
6. In the Edit Cluster screen, go to the Logging section.
7. Select Enable logging.
8. Specify the S3 bucket where logs will be stored.
9. Specify the S3 URI in the format s3://your-bucket-name/ (this will store all EMR logs in the root of the bucket).
10. Select the following log types:
    • Step logs
    • Application logs
    • YARN logs
    • System logs
    • HDFS Logs (if you are using Hadoop)
11. Click Save.

Configure a feed in Google SecOps to ingest AWS EMR logs

1. Go to SIEM Settings > Feeds.
2. Click Add new.
3. In the Feed name field, enter a name for the feed (for example, AWS EMR Logs).
4. Select Amazon S3 as the Source type.
5. Select AWS EMR as the Log type.
6. Click Next.

7. Specify values for the following input parameters:

   • Region: the region where the Amazon S3 bucket is located.
   • S3 URI: the bucket URI.
     • s3://your-log-bucket-name/
       • Replace your-log-bucket-name with the actual name of the bucket.
   • URI is a: select Directory or Directory which includes subdirectories.

   • Source deletion options: select the deletion option according to your preference.

   • Access Key ID: the User access key with access to the S3 bucket.

   • Secret Access Key: the User secret key with access to the S3 bucket.

   • Asset namespace: the asset namespace.

   • Ingestion labels: the label to be applied to the events from this feed.

8. Click Next.

9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Changes

2023-12-19

• Bug-Fix: Fixed the flaky results for the Grok pattern.

2023-10-30

• Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.