Turbot Log Management Overview

Turbot provides many log management features to help customers centralize/aggregate, prevent alteration, rotate, and view user activity events across various tiers. Turbot centralizes all logs into regional S3 logging buckets per account to allow for each account to have full transparency to their raw logs in S3 and easy to visualize in the Turbot console.

VPC flow logs are stored in CloudWatch log groups, which are retained even if they are disabled.

Turbot also ingests many log streams to identify configuration changes across the ecosystem which feeds into the Turbot Event Bus. This assists with Turbot’s ability to capture resource configuration history, trigger notifications, and trigger guardrail enforcements.

Logging activities and events in scope:

  • Event Activities, Alarms, and Stacks configurations feeding into the Turbot Event Bus:
    • Turbot User & Event Activity (any actions taken by users and Turbot automations)
    • Turbot Stack Runs (CFN, Terraform, Ansible)
    • AWS Alarms (threshold notifications)
    • AWS User Activity and configurations - AWS Cloud Trail / AWS CW Events / Turbot Describe Calls
  • Turbot Activity Logs:
    • Turbot User Activity
    • Alarm History (CFN, CloudWatch, Terraform, and Ansible)
  • Infrastructure Activity Logs (AWS Accounts and Services):
    • AWS Cloudtrail - AWS User Activity Logs
    • AWS Config - AWS Configuration history on resources
    • IAM Credential report - AWS IAM crendtial history
    • S3 Access Logs
    • VPC Flow Logs
  • Operating Systems (OS) Logs:
    • Turbot Application Logs in Turbot Master
  • Database (DB) Logs:
    • Redshift User Activity Logs
    • RDS:*
      • MySQL User Activity Logs
      • Oracle User Activity Logs
      • MS - SQL User Activity Logs
      • PostgreSQL User Activity Logs
      • MariaDB User Activity Logs
      • Aurora User Activity Logs

*Note: RDS logs are captured in the DB audit tables, but not moved off source to S3 logging buckets

To ensure Turbot is logging and capturing various events, the following options can be enabled:

  • AWS > Config > Configuration Recording = “Enforce: Enabled to Turbot logs”
  • AWS > CloudWatch Events > Notify Turbot of API Events = “Enabled”
  • AWS > CloudWatch Events > Notify Turbot of Console Events = “Enabled”
  • AWS > RDS > Audit Logging = “Enabled”
  • AWS > Redshift > Audit Logging = “Enabled”
  • AWS > S3 > Access Logging = “Enforce: Enabled to Turbot logs”
  • AWS > VPC > VPC Flow Logs Configuration = “Enforce: Turbot Managed Logging”

Record Retention options:

  • Turbot > Environment > Process Log Retention Seconds
  • Turbot > Logs > Cluster Audit Trail Retention in Days
  • Turbot > Logs > Cluster Operations Log Retention in Days
  • Turbot > Logs > Retention Archive Days
  • Turbot > Logs > Retention in Days
Was this article helpful?
0 out of 0 found this helpful