Skip to main content

Elastic/ELK Stack Alert Channel

Lacework supports the following alert channels that forward Lacework alerts to your Elastic stack.

Amazon CloudWatch

Send Lacework alerts to SQS through Amazon CloudWatch and then retrieve the alerts from SQS using a plugin from Elastic.

Create a Lacework Alert Channel for Amazon CloudWatch

Follow the steps described in Amazon CloudWatch to forward alerts from Lacework to CloudWatch.

Configure the Elastic Stack

See Elastic documentation to configure your Elastic stack to retrieve events from SQS with the sqs-input plugin.

Google Cloud Pub/Sub

Send Lacework alerts to Google Cloud Pub/Sub and then use Google Dataflow to send data to your Elastic stack.

Create a Lacework Alert Channel for Google Cloud Pub/Sub

Follow the steps described in Google Cloud Pub/Sub to send alerts from Lacework to Google Pub/Sub.

Configure Dataflow Template

Follow these steps to configure a Dataflow template that sends alerts from Pub/Sub to your Elastic stack.

  1. Install the Elastic Google Cloud integration from the Kibana web interface.
  2. In the Google Cloud Console go to the Dataflow product.
  3. Click Create job from template.
  4. Select Pub/Sub to Elasticsearch from the Dataflow template dropdown menu.
  5. Provide the required parameters:
    • Your Cloud ID - Find the Cloud ID in the Elastic Cloud interface.
    • Base64-encoded API key for Elasticsearch endpoint - Use the Create API key API to create the API key.
    • Type of logs sent via Pub/Sub ... - Add audit.
  6. Click Run Job and wait for Dataflow to execute the template.
Last updated on