All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Amazon Web Services 1.1.1: Why are some Cloudtrail logs not being collected?

stevepraz
Path Finder
‎08-19-2015 05:34 AM

We recently configured the Splunk Add-on for Amazon Web Services to pull Cloudtrail data from our AWS account. We are running Splunk Enterprise 6.2.2 and version 1.1.1 of the add-on for AWS.

We are experiencing a weird behavior where some entries of a particular Cloudtrail log file are collected and others are not. In one source log file, 5 of 17 entries were captured. There doesn't seem to be an obvious rhyme or reason regarding the items that are missed. In this particular example, the 5 that were captured are throughout the file, not just in the beginning or end.

I don't think it's a permissions issues since they are all in the same file. I'm also not aware of any filtering setup on my input that would create this type of behavior.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stevepraz
Path Finder
‎08-20-2015 11:16 AM

Found the issue thanks to some previous Splunk Answers and digging in the logs.

I noticed snippet of a message from the Splunk aws_cloudtrail.log:
"fetched 16 records, wrote 1, discarded 15, redirected 0 from s3"

Searching on that led me to this Splunk Answer:
link text

The gist being that there is a default property in the inputs.conf called exclude_describe_events that prevents the AWS add on from pulling down most "read-only" type events. It's exactly clear that this is happening if you configure the cloudtrail input via Splunk Web.

Once I changed that property to false, all the entries in the cloudtrail logs started coming through normally.

View solution in original post

Reply
Solved! Jump to solution
Solution

stevepraz
Path Finder
‎08-20-2015 11:16 AM

Found the issue thanks to some previous Splunk Answers and digging in the logs.

I noticed snippet of a message from the Splunk aws_cloudtrail.log:
"fetched 16 records, wrote 1, discarded 15, redirected 0 from s3"

Searching on that led me to this Splunk Answer:
link text

The gist being that there is a default property in the inputs.conf called exclude_describe_events that prevents the AWS add on from pulling down most "read-only" type events. It's exactly clear that this is happening if you configure the cloudtrail input via Splunk Web.

Once I changed that property to false, all the entries in the cloudtrail logs started coming through normally.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...