Splunk_TA_aws getting AccessDeniedException and Th...

bishtk · ‎07-23-2018

Getting below two errors in Splunk_TA_aws. Could you please respond if any have faced the same issue and/or have got resolution?

1) AccessDeniedException:
2018-07-24 01:44:29,520 level=ERROR pid=6376 tid=Thread-11 logger=splunk_ta_aws.modinputs.inspector.aws_inspector_data_loader pos=aws_inspector_data_loader.py:call:304 | | message="Failed to collect inspector findings for region=-east-1, datainput=-inspector, error=Traceback (most recent call last):
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\splunk_ta_aws\modinputs\inspector\aws_inspector_data_loader.py", line 299, in call
self._do_indexing()
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\splunk_ta_aws\modinputs\inspector\aws_inspector_data_loader.py", line 280, in _do_indexing
AWSInspectorAssessmentRunsDataLoader(self._config, self._cli, account_id).run()
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\splunk_ta_aws\modinputs\inspector\aws_inspector_data_loader.py", line 41, in run
self._schedule()
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\splunk_ta_aws\modinputs\inspector\aws_inspector_data_loader.py", line 56, in _schedule
arns = self._list_completed_runs_in_time_window(begin, end)
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\splunk_ta_aws\modinputs\inspector\aws_inspector_data_loader.py", line 124, in _list_completed_runs_in_time_window
response = self._cli.list_assessment_runs(params)
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\3rdparty\botocore\client.py", line 324, in _api_call
return self._make_api_call(operation_name, kwargs)
File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\3rdparty\botocore\client.py", line 622, in _make_api_call
raise error_class(parsed_response, operation_name)
AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListAssessmentRuns operation: User: arn:aws:iam::413816976474:user/**_splunk is not authorized to perform: inspector:ListAssessmentRuns
"

2) Throttling Exception:
2018-07-20 12:12:03,828 level=ERROR pid=6572 tid=Thread-12 logger=splunk_ta_aws.modinputs.cloudwatch_logs.aws_cloudwatch_logs_data_loader pos=aws_cloudwatch_logs_data_loader.py:describe_cloudwatch_log_streams:73 | | message="Failure in describing cloudwatch logs streams due to throttling exception for log_group=vpc-flow, sleep=3.99032054509, reason=Traceback (most recent call last): File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\splunk_ta_aws\modinputs\cloudwatch_logs\aws_cloudwatch_logs_data_loader.py", line 63, in describe_cloudwatch_log_streams group_name, next_token=buf["nextToken"]) File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\3rdparty\boto\logs\layer1.py", line 308, in describe_log_streams body=json.dumps(params)) File "D:\Program Files\Splunk\etc\apps\Splunk_TA_aws\bin\3rdparty\boto\logs\layer1.py", line 576, in make_request body=json_body) JSONResponseError: JSONResponseError: 400 Bad Request {u'__type': u'ThrottlingException', u'message': u'Rate exceeded'}

-Thanks

gjanders · ‎07-24-2018

The rate limiting is the reason why I switched a previous environment to AWS firehose as per the blog post " Ready, Set, Stream with the Kinesis Firehose and Splunk Integration" or refer to the kinesis firehose add on documentation

The permissions will likely be AWS related and unfortunately not the easiest thing to get right, I found using the push method much easier and it resulted in no rate limiting which was not avoidable in my previous environment.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Splunk_TA_aws getting AccessDeniedException and Throttling Exception errors

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor