Filebeat module for AWS CloudTrail Logs
===

Module for AWS CloudTrail logs which captures information about
actions taken by a user, role or an AWS service.  Events include
actions taken in the AWS Management Console, AWS Command Line
interface and AWS SDKs and APIs. These logs can
help with:

* Governance
* Compliance
* Operational and risk auditing

Implementation based on the description of CloudTrail from the
documentation that can be found in:

* CloudTrail Record Contents: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
* CloudTrail Log File Examples: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html

It should be noted that the `cloudtrail` fileset does not read the
CloudTrail Digest files that are delivered to the S3 bucket when Log
File Integrity is turned on, it only reads the CloudTrail logs.

How to manual test this module
===

* Create a CloudTrail with a S3 bucket as the storage location
* Configure this S3 bucket to send "All object create events" to a SQS queue
* Configure filebeat, using the SQS queue url with s3 notification setup in 
previous step.
```
filebeat.modules:
- module: aws
  cloudtrail:
    enabled: true
    var.queue_url: <queue url>
    var.credential_profile_name: <profile name>
```
* Check parsed logs