All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk AWS App - Cloudtrail data not showing up in SQS Queue

ryangrobbel
Explorer
‎03-09-2016 11:36 AM

Hi,

We've followed the documentation for setting up the Cloudtrail data input but are having an issue with Cloudtrail data actually populating the SQS Queue created, thus showing no Cloudtrail data in Splunk. The appropriate permissions have been applied for the IAM role in the AWS. Any ideas or suggestions how to troubleshoot?

Thanks!

Ryan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rpille_splunk
Splunk Employee
Splunk Employee
‎03-09-2016 03:13 PM

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

View solution in original post

Reply
Solved! Jump to solution
Solution

rpille_splunk
Splunk Employee
Splunk Employee
‎03-09-2016 03:13 PM

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

Reply
Solved! Jump to solution

ryangrobbel
Explorer
‎03-15-2016 11:25 AM

Thank you! Running through the steps again helped.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...