Thanks in advance for any responses...
Scenario: I have a Heavy Forwarder Installed in my AWS environment sending my data to splunk cloud... works fine for any servers in AWS with a UF sending to HF and then to cloud
We have two accounts:
AccountA has a read-only access right assigned for an audit role across all services. And has read-only access to an S3 storage bucket containing all logs... AWS forwarder is an EC2 instance under this account
We created a User in AccountA with With Cross-Account Assume Permission that will enable it to assume a role in AccountB with Full Read-Only Access to S3 bucket but get errors...
AccountB has a logging archive role and read-only access to an S3 bucket where all logs from all services are written to the S3 bucket.
what is the best way to configure the add-on to pull the logs from this s3 bucket...
there are so many input options but we tried S3 Inputs/Access Logs/Generic S3 with the account and role...