All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk AWS App - Cloudtrail data not showing up in SQS Queue

ryangrobbel
Explorer
‎03-09-2016 11:36 AM

Hi,

We've followed the documentation for setting up the Cloudtrail data input but are having an issue with Cloudtrail data actually populating the SQS Queue created, thus showing no Cloudtrail data in Splunk. The appropriate permissions have been applied for the IAM role in the AWS. Any ideas or suggestions how to troubleshoot?

Thanks!

Ryan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rpille_splunk
Splunk Employee
Splunk Employee
‎03-09-2016 03:13 PM

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

View solution in original post

Reply
Solved! Jump to solution
Solution

rpille_splunk
Splunk Employee
Splunk Employee
‎03-09-2016 03:13 PM

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

Reply
Solved! Jump to solution

ryangrobbel
Explorer
‎03-15-2016 11:25 AM

Thank you! Running through the steps again helped.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top