Centralized AWS logging & Incident Response with Elastic

Troy Wright / Brian Hall
-
Proctor

Moving from a traditional data center model to AWS creates many challenges including handling incident response for AWS systems. UCSC has a substantial set of hosts deployed in AWS and has solved our incident response issue using AWS features coupled with an on-premise Elastic cluster.

The UCSC security and applications teams worked together closely to meet policy requirements and security logging requirements for both data and hosts in AWS. Combining AWS logging features, lambda functions, and logstash UCSC created a logging pipeline for AWS hosts and related data that flows directly to our on-premise SIEM tool in Elastic.

By solving UCSC’s incident response issues with AWS the application team gained centralized log searches, enriched log data, dashboards, and alerting capabilities for AWS hosted systems and applications.

Previous Knowledge

Elasticsearch, Logstash, Kibana, and AWS knowledge are helpful but not required.

Software Installation Expectation

No software installs are required for this presentation