Consuming StaxTrail
StaxTrail is Stax's centralized logging component. You can consume StaxTrail logs into your existing SIEM solution by either subscribing to an SNS Topic, or by reviewing the contents of an S3 bucket.
StaxTrail is Stax's centralized logging component.
Logging and audit information from the Stax platform is recorded in the staxtrail bucket in your logging account. You can, alternatively, subscribe to the staxtrail SNS topic in the logging account.
Before you begin
- Time to complete: Approximately 5 minutes
- You'll need access to log into the logging AWS Application Account with at least Readonly level access
Finding the S3 bucket and SNS Topic
The StaxTrail S3 bucket and SNS Topic reside in your logging account. To find your logging account, log into the Stax Console, and from the left-hand nav, choose Accounts, then Types. Review the contents of the foundation-logging Account Type to see your logging account.
Log into the logging account by clicking the vertical ellipsis (⋮) to the right hand side, then chooosing the appropriate role. If you do not have access to log into the logging account, contact the administrator of your Stax tenancy.

Once logged into the logging account, you can proceed to locate the StaxTrail S3 bucket and/or SNS Topic.
Locating the StaxTrail S3 Bucket
- Navigate to the Amazon S3 Buckets page and observe the buckets in the list. The StaxTrail bucket will have a name similar to stax-staxtrail-49a9bcb2-6c7d-4aed-bf5d-6be6ee13ad6a. You can consume the objects in this bucket using your own SIEM solution or third-party tooling
Locating the StaxTrail SNS Topic
Ensure that you're using the AWS Console in the same AWS region as where your Stax tenancy resides. For example, if your Stax tenancy belongs to the au1 Stax installation, you'll need to be viewing the ap-southeast-2 AWS region. Choose the appropriate region by selecting from the Region drop-down list in the AWS Console
Navigate to the Amazon SNS Topics page and observe the topics in the list. The StaxTrail topic will have a name similar to staxtrail-49a9bcb2-6c7d-4aed-bf5d-6be6ee13ad6a. You can subscribe to this topic with your own SIEM solution or third-party tooling
Example StaxTrail outputs
Below is an example StaxTrail message. You should review the events in your own StaxTrail output to confirm the specific UUIDs and other values.
{
"version": "0",
"id": "5c23e1fc-e98a-4fc3-a18f-10f924cb062f",
"detail-type": "stax.api",
"source": "stax.coreapi",
"account": "517242832086",
"time": "2020-06-05T01:19:13Z",
"region": "ap-southeast-2",
"resources": [],
"detail": {
"operation": "workloads:ReadCatalogueItems",
"operation-level": "CUSTOMER",
"operation-status": "SUCCEEDED",
"severity": "info",
"message": "",
"sources": [
[]
],
"targets": [
[]
],
"stax": {
"installation": "stax-au1",
"customer-id": "f928e02a-279d-4c14-9495-4c0c10fcacf6",
"organisation-id": "dc55162f-0cd9-46dd-983a-7db12c7e2799",
"user-id": "5668c154-1879-4927-a851-99f92b576c59",
"trace-id": "Self=1-ef0ebd42-6544-4641-9c17-befdc2ccf389;Root=1-6e585f7d-bcd5-4cb4-bf13-ae6d89c46cc0;Parent=668dcdbf6a42e966;Sampled=1"
}
}
}