All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AWS App: Unable to select region during VPC Flow Log config

brettcave
Builder
‎04-07-2016 02:21 AM

I am trying to configure the Splunk App for AWS app with VPC Flow Log monitoring. From the Configure screen, I select the configured AWS account and in the next section, when I select the drop-down for Region, it looks like the UI does an async call fetching options and then greys out with no regions populated.

I have configured inputs for Config, CloudTrail and MetaData successfully and permissions via IAM are configured as per the guide. I was previously using VPC Flow logs successfully with this user without any changes in IAM but had to uninstall the app and re-install it (Splunk Add-On for AWS was also upgraded from 2.x.x to 3.0.0).

Here's what the empty "Regions" select box looks like:
alt text

How can I configure this input? (even if I can configure manually in the config files for now if this is a UI bug...)

Edit More info - seems like a bug around authentication and/or timestamps.

Following what aws_log_groups_handler.py does from the app, I found the following entries in var/log/splunk/saas_app_aws.log:

2016-04-07 12:39:59,125 [INFO] [aws_log_groups_handler.py] action 2 name None args {'target': ['127.0.0.1'], 'aws_account': ['MyAccount']}
2016-04-07 12:39:59,125 [INFO] [base_handler.py] get target service 127.0.0.1
2016-04-07 12:39:59,144 [INFO] [local_manager.py] app splunk_app_aws, owner nobody, host 127.0.0.1, port 8089
2016-04-07 12:39:59,147 [INFO] [target_manager.py] get_target 127.0.0.1
2016-04-07 12:39:59,147 [INFO] [target_manager.py] local_splunk_host 127.0.0.1
2016-04-07 12:39:59,147 [INFO] [base_handler.py] target service props {'owner': 'nobody', 'port': '8089', 'app': 'Splunk_TA_aws', 'scheme': 'https', 'host': '127.0.0.1', 'token': 'redacted'}
2016-04-07 12:40:00,096 [ERROR] [aws_utils.py] JSONResponseError: 400 Bad Request
{u'__type': u'InvalidSignatureException', u'message': u'Signature expired: 20160407T103959Z is now earlier than 20160407T104044Z (20160407T104544Z - 5 min.)'}
2016-04-07 12:40:00,096 [ERROR] [aws_utils.py] {u'__type': u'InvalidSignatureException', u'message': u'Signature expired: 20160407T103959Z is now earlier than 20160407T104044Z (20160407T104544Z - 5 min.)'}

These errors are repeated for each region. It looks like an authentication issue between Splunk app and the Splunk add-on....

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎04-07-2016 03:59 AM

Server time was wrong by about 7 minutes so calls to AWS API were failing authentication.

Updated the date and things started working.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎04-07-2016 03:59 AM

Server time was wrong by about 7 minutes so calls to AWS API were failing authentication.

Updated the date and things started working.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...