All Apps and Add-ons

Splunk AWS App - Cloudtrail data not showing up in SQS Queue

ryangrobbel
Explorer

Hi,

We've followed the documentation for setting up the Cloudtrail data input but are having an issue with Cloudtrail data actually populating the SQS Queue created, thus showing no Cloudtrail data in Splunk. The appropriate permissions have been applied for the IAM role in the AWS. Any ideas or suggestions how to troubleshoot?

Thanks!

Ryan

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

View solution in original post

rpille_splunk
Splunk Employee
Splunk Employee

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

View solution in original post

ryangrobbel
Explorer

Thank you! Running through the steps again helped.

0 Karma