All Apps and Add-ons

Splunk Add-on for Amazon Web Services - Nothing Showing for Data Inputs

asbetsplunk
Explorer

I have followed the instructions for setting up a standalone Splunk Enterprise server on AWS.

However, when I get to the data inputs section nothing is displaying for the SQS queues.

I took screenshots of the whole process - ran into all kinds of crazy issues:

https://www.dropbox.com/s/toy9q4h0nlfux94/Splunk.AWS.Install_Redacted.pdf

Can someone please show me where I messed up?

0 Karma

chwang_splunk
Splunk Employee
Splunk Employee

Hi, Do you have some other service to get data from the same SQS ?? Message in a SQS can only be taken one time, if multiple service subscribe messages from the same SQS, only one of them can get the data.

If you do have multiple services to consume these messages, I suggest you create separate SQS to describe data from a fixed SNS as data source and then create individual data inputs for individual SQS, not to share SQS

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Hi again, asbetsplunk. We've released a new version of this add-on (version 2.0.0) with a lot of bugfixes. You might try running that version instead to see if the issue persists. Please let us know if you are still having problems with it!

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Some ideas:

When you were on the CloudTrail configuration screen and it asked you if you wanted to create a new S3 bucket, try saying Yes and allowing AWS to define the correct permissions for that bucket for you automatically. There may be something missing there. If you don't want to do that, be sure to follow the AWS documentation for how to get the permissions correct here. (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.htm...)

Just checking, since you have your region redacted in your AWS console screenshots -- did you make sure the region you are using here matches the one you used in AWS?

When you try to manage settings in the inputs.conf file, please be sure to copy default/inputs.conf to local and edit there to save yourself future pain. Not relevant to your current troubleshooting, just a best practice.

Also in the conf file, it looks like you used your key ID for the aws_account parameter, but it expects the account friendly name there. Could account for the error.

Be sure to follow the documentation to add all the other parameters that you need: http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureInputs#CloudTrail_inputs The default file you were editing doesn't include them all. Note that for the queue name, it just expects the final segment of the full queue URL. For example, if your SQS queue URL is http://sqs.us-east-1.amazonaws.com/123456789012/testQueue, then your SQS queue name is testQueue.

I just re-tested the steps with a new user that I put in a new group and attached ONLY the CloudTrail policy from the documentation to that group, and it is working for me. I suspect there is something awry with your policies, probably the one on the S3 bucket.

Hope this helps!

asbetsplunk
Explorer

Thanks again for the help.

  1. Created new S3 bucket using AWS defaults, still no change in result.
  2. Region is N.Virginia - us-east-1 - confirmed that is the same.
  3. Noted about inputs.conf, thank you.
  4. I only tried CloudTrail this time but result is the same, SQS field in Splunk Data Input for CloudTrail is blank.

Would it be too much to ask to see your screenshots?

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Perhaps you've found a bug, or perhaps you are still encountering a permissions issue in AWS, somehow. Let's try to eliminate the latter.

Try creating a local/inputs.conf with your CloudTrail input information.

First, in Splunk Web, go back to the setup page and set CloudTrail logging to DEBUG.

Then, create your local/inputs.conf file:

[aws_cloudtrail://somename]
aws_account = the friendly name of your aws account
aws_region = us-east-1
sqs_queue = the last segment of the full queue url

Save the file, then restart Splunk Enterprise.

Search for sourcetype=aws:cloudtrail

If you don't see events, search index = _internal source=aws and look for interesting errors.

More troubleshooting tips here:
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Troubleshootadd-ons

rpille_splunk
Splunk Employee
Splunk Employee

Hi there,

I see you created all the policies in your AWS console, but when you created the user account, did you attach those policies to it? There are various ways you can accomplish this in AWS. A simple way to do it is to create a Group and then attach all the policies to that group, then put your Splunk user in that group.

Hope that helps!

asbetsplunk
Explorer

Thank you very much for the reply but unfortunately no luck. I can't believe that I forgot to add the policies to the account though!

Anyway, I gave it another try - here are screenshots of the steps:

https://www.dropbox.com/s/0sn6907y9isbjmr/splunk.aws.troubleshooting_Redacted.pdf

I also tried some things at the command line like manually adding the AWS ID but no change.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...