Docs

Consuming StaxTrail

StaxTrail is Stax's centralized logging component. You can consume StaxTrail logs into your existing SIEM solution by either subscribing to an SNS Topic, or by reviewing the contents of an S3 bucket.

Article Tags
Compliance
On This Page
Before you beginFinding the S3 bucket and SNS TopicExample StaxTrail outputsSee Also

StaxTrail is Stax's centralized logging component.

Logging and audit information from the Stax platform is recorded in the staxtrail bucket in your Logging Account. You can, alternatively, subscribe to the staxtrail SNS topic in the logging account.

Before you begin

  • Time to complete: Approximately 5 minutes
  • You'll need access to log into the logging AWS Application Account with at least Readonly level access

Finding the S3 bucket and SNS Topic

The StaxTrail S3 bucket and SNS Topic reside in your logging account. To find your logging account, log into the Stax Console, and from the left hand nav, choose Accounts, then Types. Review the contents of the foundation-logging Account Type to see your logging account.

foundation-logging account type

Log into the logging account by clicking the vertical ellipsis (⋮) to the right hand side, then chooosing the appropriate role. If you do not have access to log into the logging account, contact the administrator of your Stax tenancy.

log in to foundation-logging account

Once logged into the logging account, you can proceed to locate the StaxTrail S3 bucket and/or SNS Topic.

Locating the StaxTrail S3 Bucket

  1. Navigate to the Amazon S3 Buckets page and observe the buckets in the list. The StaxTrail bucket will have a name similar to stax-staxtrail-49a9bcb2-6c7d-4aed-bf5d-6be6ee13ad6a. You can consume the objects in this bucket using your own SIEM solution or third-party tooling

Locating the StaxTrail SNS Topic

  1. Ensure that you're using the AWS Console in the same AWS region as where your Stax tenancy resides. For example, if your Stax tenancy belongs to the au1 Stax installation, you'll need to be viewing the ap-southeast-2 AWS region. Choose the appropriate region by selecting from the Region drop-down list in the AWS Console

    region drop down list

  2. Navigate to the Amazon SNS Topics page and observe the topics in the list. The StaxTrail topic will have a name similar to staxtrail-49a9bcb2-6c7d-4aed-bf5d-6be6ee13ad6a. You can subscribe to this topic with your own SIEM solution or third-party tooling

Example StaxTrail outputs

Below is an example StaxTrail message. You should review the events in your own StaxTrail output to confirm the specific UUIDs and other values.

{
    "version": "0",
    "id": "5c23e1fc-e98a-4fc3-a18f-10f924cb062f",
    "detail-type": "stax.api",
    "source": "stax.coreapi",
    "account": "517242832086",
    "time": "2020-06-05T01:19:13Z",
    "region": "ap-southeast-2",
    "resources": [],
    "detail": {
        "operation": "workloads:ReadCatalogueItems",
        "operation-level": "CUSTOMER",
        "operation-status": "SUCCEEDED",
        "severity": "info",
        "message": "",
        "sources": [
            []
        ],
        "targets": [
            []
        ],
        "stax": {
            "installation": "stax-au1",
            "customer-id": "f928e02a-279d-4c14-9495-4c0c10fcacf6",
            "organisation-id": "dc55162f-0cd9-46dd-983a-7db12c7e2799",
            "user-id": "5668c154-1879-4927-a851-99f92b576c59",
            "trace-id": "Self=1-ef0ebd42-6544-4641-9c17-befdc2ccf389;Root=1-6e585f7d-bcd5-4cb4-bf13-ae6d89c46cc0;Parent=668dcdbf6a42e966;Sampled=1"
        }
    }
}

See Also