topic Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs in All Apps and Add-ons

Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

asbetsplunk — Thu, 03 Sep 2015 07:34:42 GMT

I have followed the instructions for setting up a standalone Splunk Enterprise server on AWS.

However, when I get to the data inputs section nothing is displaying for the SQS queues.

I took screenshots of the whole process - ran into all kinds of crazy issues:

https://www.dropbox.com/s/toy9q4h0nlfux94/Splunk.AWS.Install_Redacted.pdf

Can someone please show me where I messed up?

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

rpille_splunk — Thu, 03 Sep 2015 22:00:13 GMT

Hi there,

I see you created all the policies in your AWS console, but when you created the user account, did you attach those policies to it? There are various ways you can accomplish this in AWS. A simple way to do it is to create a Group and then attach all the policies to that group, then put your Splunk user in that group.

Hope that helps!

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

asbetsplunk — Fri, 04 Sep 2015 06:20:28 GMT

Thank you very much for the reply but unfortunately no luck. I can't believe that I forgot to add the policies to the account though!

Anyway, I gave it another try - here are screenshots of the steps:

https://www.dropbox.com/s/0sn6907y9isbjmr/splunk.aws.troubleshooting_Redacted.pdf

I also tried some things at the command line like manually adding the AWS ID but no change.

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

rpille_splunk — Sat, 05 Sep 2015 01:09:02 GMT

Some ideas:

When you were on the CloudTrail configuration screen and it asked you if you wanted to create a new S3 bucket, try saying Yes and allowing AWS to define the correct permissions for that bucket for you automatically. There may be something missing there. If you don't want to do that, be sure to follow the AWS documentation for how to get the permissions correct here. (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html)

Just checking, since you have your region redacted in your AWS console screenshots -- did you make sure the region you are using here matches the one you used in AWS?

When you try to manage settings in the inputs.conf file, please be sure to copy default/inputs.conf to local and edit there to save yourself future pain. Not relevant to your current troubleshooting, just a best practice.

Also in the conf file, it looks like you used your key ID for the aws_account parameter, but it expects the account friendly name there. Could account for the error.

Be sure to follow the documentation to add all the other parameters that you need: http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureInputs#CloudTrail_inputs The default file you were editing doesn't include them all. Note that for the queue name, it just expects the final segment of the full queue URL. For example, if your SQS queue URL is http://sqs.us-east-1.amazonaws.com/123456789012/testQueue, then your SQS queue name is testQueue.

I just re-tested the steps with a new user that I put in a new group and attached ONLY the CloudTrail policy from the documentation to that group, and it is working for me. I suspect there is something awry with your policies, probably the one on the S3 bucket.

Hope this helps!

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

asbetsplunk — Fri, 11 Sep 2015 16:20:26 GMT

Thanks again for the help.

Created new S3 bucket using AWS defaults, still no change in result.
Region is N.Virginia - us-east-1 - confirmed that is the same.
Noted about inputs.conf, thank you.
I only tried CloudTrail this time but result is the same, SQS field in Splunk Data Input for CloudTrail is blank.

Would it be too much to ask to see your screenshots?

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

rpille_splunk — Tue, 29 Sep 2020 07:15:50 GMT

Perhaps you've found a bug, or perhaps you are still encountering a permissions issue in AWS, somehow. Let's try to eliminate the latter.

Try creating a local/inputs.conf with your CloudTrail input information.

First, in Splunk Web, go back to the setup page and set CloudTrail logging to DEBUG.

Then, create your local/inputs.conf file:

[aws_cloudtrail://somename]
aws_account = the friendly name of your aws account
aws_region = us-east-1
sqs_queue = the last segment of the full queue url

Save the file, then restart Splunk Enterprise.

Search for sourcetype=aws:cloudtrail

If you don't see events, search index = _internal source=aws and look for interesting errors.

More troubleshooting tips here:
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Troubleshootadd-ons

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

rpille_splunk — Fri, 25 Sep 2015 02:55:04 GMT

Hi again, asbetsplunk. We've released a new version of this add-on (version 2.0.0) with a lot of bugfixes. You might try running that version instead to see if the issue persists. Please let us know if you are still having problems with it!

Re: Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

chwang_splunk — Fri, 25 Sep 2015 03:15:51 GMT

Hi, Do you have some other service to get data from the same SQS ?? Message in a SQS can only be taken one time, if multiple service subscribe messages from the same SQS, only one of them can get the data.

If you do have multiple services to consume these messages, I suggest you create separate SQS to describe data from a fixed SNS as data source and then create individual data inputs for individual SQS, not to share SQS