Send Cyral logs to Amazon CloudWatch

Prerequisites

The sidecar will require AWS credentials with the logs:PutLogEvents IAM permissions to write logs to CloudWatch. Additionally, if the specified log stream does not exist, the sidecar will attempt to create it, and will require the logs:CreateLogStream permission. AWS credentials must be available to the sidecar via environment variables or other standard methods (IAM instance profile, credentials file, etc.). Note that EC2 sidecars deployed using Cyral's CloudFormation template or Terraform module should already have the sufficient AWS permissions.

Procedure

To configure your Amazon CloudWatch integration, follow these steps:

1. Navigate to the Integrations page in the sidebar.

2. Click Setup or Configure on the Logging card, and click the New Integration button.

3. Select CloudWatch from the list of integration platforms.

4. Give this integration an identifiable Name of your choice.

5. In the Region field, provide the AWS region you wish to use.

6. In the Group Name field, provide the name of the CloudWatch Log Group that you want log records sent to.

7. (Optional) In the Stream Name field, provide the name of the CloudWatch Log Stream that you want log records sent to. If you omit this field, the CloudWatch log stream name will be set to cyral-sidecar.

8. Click Create.

   

9. For each sidecar that will send logs to this destination, configure the sidecar's advanced logging settings and select this integration for Data Activity Logs and/or Diagnostic Logs. For more information, see "Manage Sidecars -> Logging".

Next steps

• For more about monitoring a data repository, see Monitor all data activity from users and services.
• To understand log contents, see the Log Specification.
• Learn more about logging preferences.