How long does it "typically" take for SumoLogic to ingest CloudTrail logs?
I know that this will depend on how big the AWS CloudTrail logs are, but as general rule, how long would you wait before expecting to see AWS logs in SumoLogic? I know it can take up to 15 minutes for AWS events to show up in CloudTrail.
-
The other static variable at play is the scan frequency(1m or 5m) you set in your source config.
If you scan every minute you could see data as quickly as 2 minutes after the data was written to the bucket, there is some time needed for indexing after data ingestion, this is typically no more then 30 seconds.One known issue with delays is the number of items in a bucket and the scan path. When we make an API call to get new data we first list all the items in the scan path, for buckets with large amounts of items, this can take a while, we have seen up to 2 hours. To workaround this issue we recommend periodically moving older data out of the scan path, so the list portion does not take long.
Hope this helps
Olaf
Please sign in to leave a comment.
Comments
1 comment