CreateCustomLogSource
Adds a third-party custom source in Amazon Security Lake, from the AWS Region where you want to create a custom source. Security Lake can collect logs and events from third-party custom sources. After creating the appropriate IAM role to invoke AWS Glue crawler, use this API to add a custom source name in Security Lake. This operation creates a partition in the Amazon S3 bucket for Security Lake as the target location for log files from the custom source. In addition, this operation also creates an associated AWS Glue table and an AWS Glue crawler.
Request Syntax
POST /v1/datalake/logsources/custom HTTP/1.1
Content-type: application/json
{
"configuration": {
"crawlerConfiguration": {
"roleArn": "string
"
},
"providerIdentity": {
"externalId": "string
",
"principal": "string
"
}
},
"eventClasses": [ "string
" ],
"sourceName": "string
",
"sourceVersion": "string
"
}
URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- configuration
-
The configuration used for the third-party custom source.
Type: CustomLogSourceConfiguration object
Required: Yes
- eventClasses
-
The Open Cybersecurity Schema Framework (OCSF) event classes which describes the type of data that the custom source will send to Security Lake. The supported event classes are:
-
ACCESS_ACTIVITY
-
FILE_ACTIVITY
-
KERNEL_ACTIVITY
-
KERNEL_EXTENSION
-
MEMORY_ACTIVITY
-
MODULE_ACTIVITY
-
PROCESS_ACTIVITY
-
REGISTRY_KEY_ACTIVITY
-
REGISTRY_VALUE_ACTIVITY
-
RESOURCE_ACTIVITY
-
SCHEDULED_JOB_ACTIVITY
-
SECURITY_FINDING
-
ACCOUNT_CHANGE
-
AUTHENTICATION
-
AUTHORIZATION
-
ENTITY_MANAGEMENT_AUDIT
-
DHCP_ACTIVITY
-
NETWORK_ACTIVITY
-
DNS_ACTIVITY
-
FTP_ACTIVITY
-
HTTP_ACTIVITY
-
RDP_ACTIVITY
-
SMB_ACTIVITY
-
SSH_ACTIVITY
-
CONFIG_STATE
-
INVENTORY_INFO
-
EMAIL_ACTIVITY
-
API_ACTIVITY
-
CLOUD_API
Type: Array of strings
Pattern:
^[A-Z\_0-9]*$
Required: No
-
- sourceName
-
Specify the name for a third-party custom source. This must be a Regionally unique value. The
sourceName
you enter here, is used in theLogProviderRole
name which follows the conventionAmazonSecurityLake-Provider-{name of the custom source}-{region}
. You must use aCustomLogSource
name that is shorter than or equal to 20 characters. This ensures that theLogProviderRole
name is below the 64 character limit.Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Pattern:
^[\w\-\_\:\.]*$
Required: Yes
- sourceVersion
-
Specify the source version for the third-party custom source, to limit log collection to a specific version of custom data source.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 32.
Pattern:
^[A-Za-z0-9\-\.\_]*$
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"source": {
"attributes": {
"crawlerArn": "string",
"databaseArn": "string",
"tableArn": "string"
},
"provider": {
"location": "string",
"roleArn": "string"
},
"sourceName": "string",
"sourceVersion": "string"
}
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- source
-
The third-party custom source that was created.
Type: CustomLogSourceResource object
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
You do not have sufficient access to perform this action. Access denied errors appear when Amazon Security Lake explicitly or implicitly denies an authorization request. An explicit denial occurs when a policy contains a Deny statement for the specific AWS action. An implicit denial occurs when there is no applicable Deny statement and also no applicable Allow statement.
HTTP Status Code: 403
- BadRequestException
-
The request is malformed or contains an error such as an invalid parameter value or a missing required parameter.
HTTP Status Code: 400
- ConflictException
-
Occurs when a conflict with a previous successful write is detected. This generally occurs when the previous write did not have time to propagate to the host serving the current request. A retry (with appropriate backoff logic) is the recommended response to this exception.
HTTP Status Code: 409
- InternalServerException
-
Internal service exceptions are sometimes caused by transient issues. Before you start troubleshooting, perform the operation again.
HTTP Status Code: 500
- ResourceNotFoundException
-
The resource could not be found.
HTTP Status Code: 404
- ThrottlingException
-
The limit on the number of requests per second was exceeded.
HTTP Status Code: 429
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: