Skip to main content

Consuming StaxTrail

StaxTrail is Stax's centralized logging component. Logging and audit information from Stax is recorded in the staxtrail bucket in your logging account. You can, alternatively, subscribe to the staxtrail SNS topic in the logging account.

Before You Begin

  • Time to complete: 5 minutes
  • Ensure you have access to log in to the logging AWS account with permissions to read content in S3 buckets

Finding the StaxTrail S3 Bucket

The StaxTrail S3 bucket resides in your logging account.

  1. Log in to the Stax console
  2. Choose Accounts from the left-hand nav
  3. Choose the logging account from the list and log in using the appropriate permissions
  4. Navigate to the S3 console and locate the StaxTrail S3 bucket. Its name will be similar to: stax-staxtrail-<org-uuid>. The <org-uuid> placeholder will be replaced by your organization's identifier in Stax, in the format of a UUID (UUIDv4).

You can consume the objects in this bucket using your own SIEM solution or third-party tooling.

Finding the StaxTrail SNS Topic

The StaxTrail SNS Topic resides in your logging account.

  1. Log in to the Stax console
  2. Choose Accounts from the left-hand nav
  3. Choose the logging account from the list and log in using the appropriate permissions
  4. Choose the AWS region that matches that of your Stax Installation Region
  5. Navigate to the SNS console and locate the StaxTrail SNS topic. Its name will be similar to: staxtrail-<org-uuid>. The <org-uuid> placeholder will be replaced by your organization's identifier in Stax, in the format of a UUID (UUIDv4).

You can subscribe to this SNS Topic using your own SIEM solution or third-party tooling.

Example StaxTrail Output

Below is an example StaxTrail message. You should review the events in your own StaxTrail output to confirm the specific UUIDs and other values.

{
   "version": "0",
   "id": "5c23e1fc-e98a-4fc3-a18f-10f924cb062f",
   "detail-type": "stax.api",
   "source": "stax.coreapi",
   "account": "517242832086",
   "time": "2020-06-05T01:19:13Z",
   "region": "ap-southeast-2",
   "resources": [],
   "detail": {
       "operation": "workloads:ReadCatalogueItems",
       "operation-level": "CUSTOMER",
       "operation-status": "SUCCEEDED",
       "severity": "info",
       "message": "",
       "sources": [
           []
       ],
       "targets": [
           []
       ],
       "stax": {
           "installation": "stax-au1",
           "customer-id": "f928e02a-279d-4c14-9495-4c0c10fcacf6",
           "organisation-id": "dc55162f-0cd9-46dd-983a-7db12c7e2799",
           "user-id": "5668c154-1879-4927-a851-99f92b576c59",
           "trace-id": "Self=1-ef0ebd42-6544-4641-9c17-befdc2ccf389;Root=1-6e585f7d-bcd5-4cb4-bf13-ae6d89c46cc0;Parent=668dcdbf6a42e966;Sampled=1"
       }
   }
}