All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use AWS cloudtrail across 20+ accounts

matt_tunny
Explorer
‎07-09-2016 04:09 PM

Hey everyone,
We have about 20 AWS accounts at the moment and I want to the use the Splunk AWS app to monitor them all but it looks like it only works in single accounts?
I currently have cloudtrail on all accounts which then go into 1 master s3bucket which we pull the logs down from, also where my splunk instance is sitting. I can get the AWS splunk app working in the aws account i deploy splunk from (using IAM roles from the doco) but I can't see how to pull that type of data from other accounts without setting up 20+ splunk instances?

How does everyone else use the splunk AWS app when you have alot of seperate aws accounts? Is it done through SQS or something?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pchen_splunk
Splunk Employee
Splunk Employee
‎07-10-2016 04:32 AM

Hi

SNS+SQS on CloudTrail is used to collecting CloudTrail message. You can set up accounts first, then setup cloudtrail with SNS and SQS. Then, add SQS in the AWS app GUI.

Meanwhile, pull CloudTrail message from S3 may be supported in the future.

View solution in original post

Reply
Solved! Jump to solution
Solution

pchen_splunk
Splunk Employee
Splunk Employee
‎07-10-2016 04:32 AM

Hi

SNS+SQS on CloudTrail is used to collecting CloudTrail message. You can set up accounts first, then setup cloudtrail with SNS and SQS. Then, add SQS in the AWS app GUI.

Meanwhile, pull CloudTrail message from S3 may be supported in the future.

Reply
Solved! Jump to solution

matt_tunny
Explorer
‎07-10-2016 05:10 AM

ok thanks, I tried setting that up before but it keeps giving me access denied even thought my account has Administrator rights in aws.
Do you know of any blogs that have set this up before?

0 Karma
Reply
Solved! Jump to solution

matt_tunny
Explorer
‎07-10-2016 06:46 PM

It's giving me access denied to even root accounts when trying to add SQS app. I saw another question saying there is currently a bug adding SQS into the app?

0 Karma
Reply
Solved! Jump to solution

pchen_splunk
Splunk Employee
Splunk Employee
‎07-10-2016 07:16 PM

If you got "access denied", please check your AWS IAM setting. Here is ref: http://docs.splunk.com/Documentation/AWS/4.2.0/Installation/ConfigureyourAWSpermissions#Configure_Cl...

Yes, there is a bug in AWS app 4.2.0 about SQS list. You can got my answer in https://answers.splunk.com/answers/421913/bug-in-splunk-app-for-aws-user-unable-to-configure.html#an... . Or you can wait for the 4.2.1 release, which should happen this month.

To dig deeper to the issue you met, please file a support ticket.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...