All Apps and Add-ons

AWS App: Unable to select region during VPC Flow Log config

brettcave
Builder

I am trying to configure the Splunk App for AWS app with VPC Flow Log monitoring. From the Configure screen, I select the configured AWS account and in the next section, when I select the drop-down for Region, it looks like the UI does an async call fetching options and then greys out with no regions populated.

I have configured inputs for Config, CloudTrail and MetaData successfully and permissions via IAM are configured as per the guide. I was previously using VPC Flow logs successfully with this user without any changes in IAM but had to uninstall the app and re-install it (Splunk Add-On for AWS was also upgraded from 2.x.x to 3.0.0).

Here's what the empty "Regions" select box looks like:
alt text

How can I configure this input? (even if I can configure manually in the config files for now if this is a UI bug...)

Edit More info - seems like a bug around authentication and/or timestamps.

Following what aws_log_groups_handler.py does from the app, I found the following entries in var/log/splunk/saas_app_aws.log:

2016-04-07 12:39:59,125 [INFO] [aws_log_groups_handler.py] action 2 name None args {'target': ['127.0.0.1'], 'aws_account': ['MyAccount']}
2016-04-07 12:39:59,125 [INFO] [base_handler.py] get target service 127.0.0.1
2016-04-07 12:39:59,144 [INFO] [local_manager.py] app splunk_app_aws, owner nobody, host 127.0.0.1, port 8089
2016-04-07 12:39:59,147 [INFO] [target_manager.py] get_target 127.0.0.1
2016-04-07 12:39:59,147 [INFO] [target_manager.py] local_splunk_host 127.0.0.1
2016-04-07 12:39:59,147 [INFO] [base_handler.py] target service props {'owner': 'nobody', 'port': '8089', 'app': 'Splunk_TA_aws', 'scheme': 'https', 'host': '127.0.0.1', 'token': 'redacted'}
2016-04-07 12:40:00,096 [ERROR] [aws_utils.py] JSONResponseError: 400 Bad Request
{u'__type': u'InvalidSignatureException', u'message': u'Signature expired: 20160407T103959Z is now earlier than 20160407T104044Z (20160407T104544Z - 5 min.)'}
2016-04-07 12:40:00,096 [ERROR] [aws_utils.py] {u'__type': u'InvalidSignatureException', u'message': u'Signature expired: 20160407T103959Z is now earlier than 20160407T104044Z (20160407T104544Z - 5 min.)'}

These errors are repeated for each region. It looks like an authentication issue between Splunk app and the Splunk add-on....

Tags (1)
0 Karma
1 Solution

brettcave
Builder

Server time was wrong by about 7 minutes so calls to AWS API were failing authentication.

Updated the date and things started working.

View solution in original post

0 Karma

brettcave
Builder

Server time was wrong by about 7 minutes so calls to AWS API were failing authentication.

Updated the date and things started working.

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!