This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
Datadog CSM’s Related Logs feature allows you to quickly identify cloud audit logs that relate to a specific cloud resource. When investigating a misconfiguration, this can help you understand:
Who created the resource
Who last modified the resource, possibly introducing the misconfiguration
CloudTrail events lack a standardized format that would allow a generic Logs query, but Related Logs uses an internal service that maps resource attributes to CloudTrail event fields, enabling Datadog to identify related CloudTrail logs.
Here’s a sample Logs query that Related Logs automatically generates and runs to find related CloudTrail logs. In this example, the query looks for logs that relate to a specific EC2 instance:
source:cloudtrail @recipientAccountId:172597598159 @awsRegion:us-east-1 @readOnly:false -status:error (@eventSource:ec2.amazonaws.com AND (@requestParameters.instanceId:"i-0d52853076ed2a357" OR @requestParameters.instancesSet.items.instanceId:"i-0d52853076ed2a357" OR @responseElements.instancesSet.items.instanceId:"i-0d52853076ed2a357" OR @requestParameters.resourcesSet.items.resourceId:"i-0d52853076ed2a357" OR @responseElements.ReplaceIamInstanceProfileAssociationResponse.iamInstanceProfileAssociation.instanceId:"i-0d52853076ed2a357" OR @responseElements.CreateFleetResponse.fleetInstanceSet.item.instanceIds.item:"i-0d52853076ed2a357" OR @requestParameters.CreateReplaceRootVolumeTaskRequest.InstanceId:"i-0d52853076ed2a357" OR @requestParameters.ModifyInstanceMetadataOptionsRequest.InstanceId:"i-0d52853076ed2a357" OR @serviceEventDetails.instanceIdSet:"i-0d52853076ed2a357" OR @requestParameters.AssociateIamInstanceProfileRequest.InstanceId:"i-0d52853076ed2a357" OR @requestParameters.CreateSnapshotsRequest.InstanceSpecification.InstanceId:"i-0d52853076ed2a357"))
Related Logs supports the following AWS resources:
aws_acm
aws_cloudfront_distribution
aws_ec2_instance
aws_ecs_service
aws_ecr_repository
aws_iam_account
aws_iam_group
aws_iam_policy
aws_iam_role
aws_iam_user
aws_lambda_function
aws_opensearch_domain
aws_rds_instance
aws_s3_bucket
aws_security_group
aws_sns_topic
aws_sqs_queue
aws_subnet
To request additional resource types, fill out the feedback form.
View related logs
On the Findings page, in the Misconfigurations explorer, open a misconfiguration for a supported resource type.
Click the Related Logs tab. Datadog queries your CloudTrail logs for events related to the cloud resource.
Search through a larger timeframe
By default, Related Logs looks through the last two weeks of related CloudTrail logs. To extend the search to a larger timeframe:
While viewing a misconfiguration’s related logs, click View All Related Logs. The search used to populate the list opens in Log Explorer.
In the upper-right corner, change the timeframe of the search.
Note: Related Logs only display CloudTrail logs within your retention period. To store CloudTrail logs for an extended period of time in a cost-effective manner, Datadog recommends using Flex Logs.
