All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use AWS cloudtrail across 20+ accounts

matt_tunny
Explorer
‎07-09-2016 04:09 PM

Hey everyone,
We have about 20 AWS accounts at the moment and I want to the use the Splunk AWS app to monitor them all but it looks like it only works in single accounts?
I currently have cloudtrail on all accounts which then go into 1 master s3bucket which we pull the logs down from, also where my splunk instance is sitting. I can get the AWS splunk app working in the aws account i deploy splunk from (using IAM roles from the doco) but I can't see how to pull that type of data from other accounts without setting up 20+ splunk instances?

How does everyone else use the splunk AWS app when you have alot of seperate aws accounts? Is it done through SQS or something?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pchen_splunk
Splunk Employee
Splunk Employee
‎07-10-2016 04:32 AM

Hi

SNS+SQS on CloudTrail is used to collecting CloudTrail message. You can set up accounts first, then setup cloudtrail with SNS and SQS. Then, add SQS in the AWS app GUI.

Meanwhile, pull CloudTrail message from S3 may be supported in the future.

View solution in original post

Reply
Solved! Jump to solution
Solution

pchen_splunk
Splunk Employee
Splunk Employee
‎07-10-2016 04:32 AM

Hi

SNS+SQS on CloudTrail is used to collecting CloudTrail message. You can set up accounts first, then setup cloudtrail with SNS and SQS. Then, add SQS in the AWS app GUI.

Meanwhile, pull CloudTrail message from S3 may be supported in the future.

Reply
Solved! Jump to solution

matt_tunny
Explorer
‎07-10-2016 05:10 AM

ok thanks, I tried setting that up before but it keeps giving me access denied even thought my account has Administrator rights in aws.
Do you know of any blogs that have set this up before?

0 Karma
Reply
Solved! Jump to solution

matt_tunny
Explorer
‎07-10-2016 06:46 PM

It's giving me access denied to even root accounts when trying to add SQS app. I saw another question saying there is currently a bug adding SQS into the app?

0 Karma
Reply
Solved! Jump to solution

pchen_splunk
Splunk Employee
Splunk Employee
‎07-10-2016 07:16 PM

If you got "access denied", please check your AWS IAM setting. Here is ref: http://docs.splunk.com/Documentation/AWS/4.2.0/Installation/ConfigureyourAWSpermissions#Configure_Cl...

Yes, there is a bug in AWS app 4.2.0 about SQS list. You can got my answer in https://answers.splunk.com/answers/421913/bug-in-splunk-app-for-aws-user-unable-to-configure.html#an... . Or you can wait for the 4.2.1 release, which should happen this month.

To dig deeper to the issue you met, please file a support ticket.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...