topic Re: CloudTrail data not showing in Splunk in Getting Data In

CloudTrail data not showing in Splunk

alanwill — Mon, 02 Dec 2013 17:55:51 GMT

I'm using Splunk 6 with the Splunk for AWS app and trying to configure it to show CloudTrail data. I've created the SNS topic and SQS queue and can see messages in the queue but nothing is coming over to the Splunk index. The CloudTrail Log input is created, the keys are for an IAM user that has full describe access on the entire account, and I've tried entering the queue name both as the canonical name and the full arn.

Any idea what I'm missing or why this still isn't working?

Thanks,
alan

Re: CloudTrail data not showing in Splunk

nkhetia — Tue, 03 Dec 2013 01:08:28 GMT

This issue has been resolved. IAM user didn't have enough permission to fetch data.

Allan, Could you resolve this question ?

thanks
Nilesh

Re: CloudTrail data not showing in Splunk

alanwill — Tue, 03 Dec 2013 01:36:16 GMT

Yes, it's resolved now. I was also able to figure out a more limiting ACL for the access keys rather than the Power User policy. You can limit access to just the queue created in SQS as follows:

{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"sqs:*",
"Resource":"arn:aws:sqs:us-east-1::"
}
]

}