I tried to configure CloudTrail SQS Based S3 and I got the following message:
"Warning: This message does not have a valid SNS Signature None None doesn't match required format '^https://sns\\.[-a-z0-9]+\\.amazonaws\\.com(?:\\.cn)?/'"
Sometimes I also get:
"Failed to delete message"
I have no clue where to look in order to solve this issue. I will appreciate any help!
Haven't looked into this too much, but I'm guessing it is related to the updates in version 5.2.1:
Version 5.2.1 of the Splunk Add-on for AWS version contains the following new and changed features:
The setup docs for the CloudTrail input state S3->SNS->SQS now. I don't think this was the case before, but I don't have a copy of the old docs to check.
It looks like it is using this plugin to validate. https://pypi.org/project/validate-aws-sns-message/ Note, it "Requires message be no older than one hour, the maximum lifetime of an SNS message."
Splunk, it would be much better if this was an optional feature, as it breaks our infrastructure, especially bad since this is a PATCH update, not MAJOR.
Same issue for ALB access log collection using the SQS based S3 input after upgrading to 5.2.1. Not only is this not indexing the S3 logs, but it's also deleting the SQS messages so it's not appropriately handling the error.
Having the same issues in the cloud. Was upgraded to 5.2.1 last night and all inputs are doing the exact same thing.
Pulling data from the Que, warning, not indexing and the Que are cleared.