All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

AWS S3 path-based access model deprecation, impact on cloudtrail data ingest and possible fixes

soumyasaha25
Contributor
‎03-05-2020 07:08 AM

AWS had announced that they would deprecate deprecate the path-based access model that is used to specify the address of an object in an S3 bucket and this kicks in from 30th Sept 2020.
Example:
Current format:
https://s3.amazonaws.com/jbarr-public/images/ritchie_and_thompson_pdp11.jpeg
New format
https://jbarr-public.s3.amazonaws.com/images/ritchie_and_thompson_pdp11.jpeg
More info on this can be found here

My question is, what changes needs to be done on splunk configs end so that we continue to receive data (in my case cloudtrail) from S3 buckets with the new naming convention.
i can only see from the config files that the only place where the "bucket_name " and "hostname is referanced is in inputs.conf in splunk_TA_aws.
Do i need an upgrade of the Splunk TA to support this. i am currently on Splunk TA version 4.5.0 and splunk version 7.1.1

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎03-05-2020 03:08 PM

For starters, you should upgrade your Splunk instance to 8.x, the AWS App to 6.0 and the Add-on to 5.0 since they will use the newer Boto SDK v3 along with Python 3.7.

I don't believe that this will have an impact on how Splunk collects the data from the S3 buckets since we are using the Both SDK to pull the bucket names and not the URL's. Regardless of what the URL is, the bucket name will stay the same and that is what is being used for data collection.

If you want you can see what Splunk sees by going to the AWS cli and typing in aws s3 ls and you should only see a list of your S3 buckets.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎03-05-2020 03:09 PM

Just as a side note, if you want to collect CloudTrail data at scale, you might want to look into using Grand Central : https://www.splunk.com/en_us/blog/partners/trumpeting-to-grand-central-monitor-and-deploy-cloud-base...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...