All Apps and Add-ons

Splunk AWS App - Cloudtrail data not showing up in SQS Queue

ryangrobbel
Explorer

Hi,

We've followed the documentation for setting up the Cloudtrail data input but are having an issue with Cloudtrail data actually populating the SQS Queue created, thus showing no Cloudtrail data in Splunk. The appropriate permissions have been applied for the IAM role in the AWS. Any ideas or suggestions how to troubleshoot?

Thanks!

Ryan

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

View solution in original post

rpille_splunk
Splunk Employee
Splunk Employee

Hi Ryan,

If the issue is that your CloudTrail data is never reaching your SQS, revisit the CloudTrail configuration in your AWS account. http://docs.splunk.com/Documentation/AWS/latest/Installation/ConfigureyourAWSservices#Configure_Clou...

Tips:

  • For best results, create a new S3 bucket to store CloudTrail events -- don't use an existing one. Follow the AWS docs so that you can ensure the permissions are correct immediately as you complete that step. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...

  • Double check the permissions again to be sure that the account that you use to connect from the app has permission for both the S3 bucket and the SQS.

  • Check with your AWS Admin to verify there are not OTHER policies overriding the account's permissions.

  • Verify that no other script or input is consuming messages from the SQS queue. This other script or message may be another input from the Splunk App for AWS or some other app or software that has permission to read that queue.

If none of those troubleshooting steps are effective, you can try ingesting your CloudTrail data using the S3 input instead of the CloudTrail input, bypassing the need for an SQS. Follow the steps here http://docs.splunk.com/Documentation/AWS/latest/Installation/S3 and be sure to set the sourcetype to aws:cloudtrail

ryangrobbel
Explorer

Thank you! Running through the steps again helped.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...