All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using SQS based S3 in a private VPC

erocky
New Member
‎06-25-2020 11:56 AM

We'd like to use the SQS based S3 method in the Splunk Add-on for AWS, but have trouble connecting to the endpoint. From my experience it only tries to connect to the legacy URL, which is not supported with the SQS endpoint:

"Private DNS doesn't support legacy endpoints such as queue.amazonaws.com or us-east-2.queue.amazonaws.com." source 

Legacy URL: REGION.queue.amazonaws.com 
New URL: sqs.REGION.amazonaws.com.

I was able to create a Band-Aid fix by adding the legacy URL to /etc/hosts with the new URL's IP, but that's a fragile solution and doesn't support multiple AZs.  

In testing this I found that the AWS CLI supports redirecting through the use of a --endpoint-url argument:

aws sqs receive-message --endpoint-url https://REGION.amazonaws.com/ --queue-url https://sqs.REGION.amazonaws.com/ACCT#/QUEUENAME

It also looks like S3 might support setting a host_name value in the inputs.conf file to allow it to connect to a different endpoint. 

Is there a method for setting the endpoint URL for SQS?

Thank you,

Erocky

Labels (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-09-2020 02:25 AM

When you've added your SQS input it should set the sqs_queue_url field, something like:

[aws_sqs_based_s3://YourInputName]
aws_account = loader
aws_iam_role = audit_cloudtrail
index = my_index
interval = 300
s3_file_decoder = ELBAccessLogs
sourcetype = aws:elb:accesslogs
sqs_batch_size = 10
sqs_queue_region = eu-west-2
sqs_queue_url = https://eu-west-2.queue.amazonaws.com/<yourAccountID>/<yourSQSQueue>

You should then be able to update the queue URL to

sqs_queue_url = https://sqs.REGION.amazonaws.com/<YourAccountID>/<YourQueueNamee>
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...