Configure Hydrolix for AWS

Configure Your Account

Most of the details of Hydrolix setup are automated. You'll provide information, accept, and apply the setup process, then configure your data source to send data to your data transport.

Prerequisites

During setup, you'll provide business contact information, then select a data source and a transport that Hydrolix for AWS can ingest.

Data Sources

Hydrolix for AWS currently supports the automated self-onboarding of the following data sources:

• CloudFront Real-Time Logs
• Web Application Firewall

Hydrolix also supports log ingestion of logs from the following CDN providers by opening a support ticket:

• Fastly
• Akamai
• Edgio Edge Prism (Limelight)

Delivery Method

Hydrolix supports the automated self-onboarding of the following log delivery mechanisms:

• Kinesis Data Stream
• Amazon Data Firehose

Hydrolix also supports S3 batch ingest by opening a support ticket.

Configure Hydrolix for AWS

Find "Hydrolix for AWS" in the AWS Marketplace and purchase it. From here on, the configuration pages will guide you, giving you links to run a CloudFormation script that will perform actions on your AWS account. During the process, an account will automatically be created in Hydrolix and access will be granted to your selected data transport method.

📘

About the CloudFormation Stack

This CloudFormation stack provides the necessary permissions to run Hydrolix for AWS, allowing for seamless access to essential AWS services like S3, Kinesis, CloudFront, and WAF. It's designed to keep your data safe and Hydrolix running while you retain full control.

Although not required, an additional AWS permission boundary can be applied by creating a new AWS ‘member account’ in your AWS organization for sole use by Hydrolix. If desired, you will need to create the account first and then log into that account before purchasing Hydrolix in the AWS Marketplace. You can create additional AWS member accounts in your organization free of charge. If you have reached your current quota, request additional quota from AWS.

The on-boarding CloudFormation script will give Hydrolix the following permissions in your AWS account to perform the needed on-boarding and operating tasks:

1. s3:*: to create, write, and read from the S3 bucket in which your processed logs will be stored.
2. kinesis.*: to create and subscribe to the Kinesis Data Stream which will deliver your CloudFront real-time logs to Hydrolix for processing.
3. dynamodb.*: to create, write, and read from a DynamoDB instance for your Kinesis checkpoints, which are required for Kinesis streams.
4. firehose.*: to create, write and read from a Data Firehose stream which will deliver your WAF ACL logs to Hydrolix for processing.

To configure the Hydrolix account, your acceptance and application of the CloudFormation script will be handled in a separate browser tab. The "Setup AWS account access and permissions" link will open that tab.

Once you've selected "Create stack" from the resulting browser tab, return to the original Hydrolix for AWS setup tab and continue with the process.

📘

Resuming the process

If you're interrupted, you can always return to this page by "re-purchasing" Hydrolix from the AWS Marketplace. AWS Marketplace will only allow you to purchase it once. If you have already purchased, it will forward you to where you left off in the on-boarding process.

After entering the information, click "Verify Access" to start the provisioning process. This process takes about four minutes, during which time it will verify permissions, create roles and credentials, configure Grafana, and set up Hydrolix to start receiving your data.

After this has completed, the setup page will show you the data and transport method that has been configured, along with a link to your dashboard.

Click on which ingest option you want to configure. The support for the chosen log source and its transport method will be automatically configured in both your AWS account and the Hydrolix for AWS account. An end-to-end test with a synthetic log event will then be performed to ensure successful log ingestion.

Upon reaching the success page for configuring this method, you will be given two important pieces of information:

1. The ingest method stream name: as the final step, you must go to the AWS service log source (for example, CloudFront or WAF) console and configure it to start sending your logs to that stream name. A link to the relevant AWS documentation on how to accomplish this step is also provided, in case you aren't familiar with the logging feature of your AWS service.
2. The link and login credentials to your preconfigured visualization dashboard for the selected log source.

The information above is also included on the “Connect your Data and Method” page you will return to after the success page. Upon returning to the Data and Method configuration page, you may choose to configure other data sources and ingest methods offered.