All Apps and Add-ons

AWS Cloudtrail data not shown in the dashboard under "CloudTrail Overview - 24h"

cchsiang2002
Explorer

I have configured the CloudTrail, SNS, SQS, with the correct policy.

I also configured the Splunk with "Splunk Add-on for AWS" and "Splunk APP for AWS".
I configured the Data Input with my AWS credential and SQS name.

I can see my SQS queue is consumed Splunk. Under Splunk "Search", there are 3000+ events.
Every time I add or delete a AWS VPC, I see the events are collected by Splunk.

When I clicked on the "Data Summary" and select my host/server, I can see all the events.

Now, my question..
1. I don't see anything under "CloudTrail Overview - 24h" page.
2. How can I start the analysis part of Splunk?

Thanks in advance...

0 Karma
1 Solution

_d_
Splunk Employee
Splunk Employee

Which index is your CloudTrail data going to, aws-cloudtrail or another? If not aws-cloudtrail, then you need to modify macros.conf in Splunk App for AWS to correspond to the right index.

View solution in original post

_d_
Splunk Employee
Splunk Employee

Which index is your CloudTrail data going to, aws-cloudtrail or another? If not aws-cloudtrail, then you need to modify macros.conf in Splunk App for AWS to correspond to the right index.

cchsiang2002
Explorer

Using index=aws-cloudtrail as a filter from the search bar, I do see one event.
However, I don't see this event in the home page.

I do have 4000+ events collected last few days, and they are all with "sourcetype" = "aws:cloudtrail".
When I click on "Data Summary", and select my host name, I can see all those 4000+ events, e.g. create vpc, delete vpc, launch instance, terminate instance, add subnet, add security group, etc.

Aren't they considered "notable"? If now, how can I re-define "notable" so that those events can be included.
Thanks in advance...

0 Karma

cchsiang2002
Explorer

Hi D, thank you so much....
Your instructions are very clear...
IT WORKS now.

kkossery
Communicator

Thank you d!

_d_
Splunk Employee
Splunk Employee

The landing page of the App works off of the aws-cloudtrail index. It appears that you only have one event in it despite having about 4000 with sourcetype=aws:cloudtrail in the default index. You just need to wait a bit until more events are collected. The notable status of CloudTrail events is defined in a lookup file named all_eventName.csv.

cchsiang2002
Explorer

Thank you d.
I did what you mentioned, 1. create a new Index "aws-cloudtrail", 2. under Data-input->More setting, I changed the index to "aws-cloudtrail".

The index settings under "aws-cloudtrail" are:
Home page = $SPLUNK_DB/aws-cloudtrail/db
Cold Path = $SPLUNK_DB/aws-cloudtrail/colddb
Thawed path = $SPLUNK_DB/aws-cloudtrail/colddb
Max size(MB) of entire index = 500000
Max size (MB) of hot/warm/cold bucket = auto

With this setting, it still does not work.
The home page of "Splunk App for AWS" still shows empty, e.g. "No results found" under "Notable Activity by Service vs. Previous 24 hr".

Any idea?
Thanks....

0 Karma

_d_
Splunk Employee
Splunk Employee

Well, perhaps there isn't enough data in that index yet or if there is it's not "notable". Run this search: index=aws-cloudtrail from the search bar and see if it returns anything. If it doesn't, you'll just have to wait until enough CloudTrail data has been collected.

cchsiang2002
Explorer

Thank d, I think that I am using aws-cloudtrail.

When I do the "Data Input" and add the new data input,
Under "More settings", I did not change anything, so it has:
Interval = 30
Source type = Manual, and aws:cloudtrail
Host = cloudN-local (which is the host name of my Linux server that hosts Splunk)
Index = default (this is a drop-down menu, that has 4 choices: default, history, summary, and main).

As for macros.conf, it has the following already:
[aws-cloudtrail-index]
definition = index=aws-cloudtrail

Could you let me know what else I need to do? I am a newbie of Splunk, so if possible, more details the better.
Thanks a lot...

0 Karma

_d_
Splunk Employee
Splunk Employee

Okay, in that case then you need to do the following: (1) create a new index called aws-cloudtrail by going to Settings | Indexes | New then (2) under Data Inputs' More Settings select that as your index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...