All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to access and parse AWS GovCloud Cloudtrail logs?

asdsplunk
New Member
‎12-22-2014 06:05 PM

We have a very simple AWS GovCloud environment which is accessed by two members of our company. Last week we jumped at the anouncment that GovCloud had finally implemented support for CloudTrail. We are now logging GovCloud API calls to our GovCloud S3.

We need help configuring Splunk to access and parse our GovCloud CloudTrail logs.

Thanks for any help you can provide.

Michael Schimpf
Advanced Survey Design
0 Karma
Reply

Paolo_Prigione
Builder
‎02-10-2016 10:06 AM

According to the release notes, v3.0 of the AWS Add-on now supports GovCloud:

2015-12-23  ADDON-6870  Support for GovCloud and China regions in the configuration UI.
Reply

jonasm1
Explorer
‎03-12-2018 11:42 AM

You can refer to this article: https://medium.com/@grizzbaier/making-the-splunk-app-for-aws-work-in-the-govcloud-region-7587bedcfc8...

Reply

ubeeman
New Member
‎02-18-2015 10:32 AM

Having the exact same problem us-gov-west-1. It appears there is some separation when a govcloud account gets set up. Similar to when we request updates to our allowed instances it showed on the wrong side and took week+ to correct.

0 Karma
Reply

bendter
Explorer
‎01-24-2015 08:36 PM

We are also trying to configure Splunk to gather cloudtrail logs from govcloud. It appears that it is not possible at this time. We have accounts in both the AWS general cloud and govcloud. Splunk gathers cloudtrail logs fine from the general cloud. But Splunk cannot gather cloudtrail logs from govcloud.

The issue appears to be that Splunk is attempting to log into into the general cloud for S3 and cannot find the S3 cloudtrail files for govcloud. All SQS data is correct and retrieved okay. But the aws_cloudtrail.py script fails to find the S3 file. You can see the error very easily by trying to configure a Splunk S3 input with the govcloud user:

Failed to fetch data: In handler 'splunk_ta_aws_s3buckets': Unexpected error "" from python handler: "S3ResponseError: 403 Forbidden InvalidAccessKeyIdThe AWS Access Key Id you provided does not exist in our records.AAAAAAAAAAAAAAAAAAAA8888888888888WWWWWWWWWWWWWW=". See splunkd.log for more details.

This same splunk AWS users works fine when configuring a cloudtrail input and can even find the correct SQS queue. It just fails when it trys to find the S3 file.

Does anyone know how to configure the Splunk AWS add-on to access S3 data in the govcloud region? It seems the Splunk AWS user should have a flag to set if this is a govcloud user.

0 Karma
Reply

satishsdange
Builder
‎12-23-2014 08:17 AM

did you get a chance to look at Splunk Apps for AWS. You can download it from https://apps.splunk.com/app/1274/

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...