Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- AWS Landing Zone - Centralize logging - how are ot...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AWS Landing Zone - Centralize logging - how are others ingesting?
t9445
Path Finder
05-21-2019
11:58 AM
Hello, hoping others may have run into this and figured out best-practice (or best-way...)
We are implementing an AWS Landing Zone, and the centralized logging for all-accounts/sourcetypes/etc is all to one S3 location, as opposed to ingesting from various sources (S3 Buckets, CloudWatch, ...) - e.g. 'Splunk App for AWS'
What we are wondering is how have others using an AWS Landing Zone, are ingesting with Splunk?
e.g At first glimpse we will have to do a lot of props/transforms to get the data broken out as it should be in Splunk if we simply ingest the S3 (as S3 or Kinesis FireHose, etc) -- props/transforms to breakout the details: e.g. Account=012345, sourcetype=cloudtrail, zone=us-east-1, etc
Is there a best/better way that folks are using for splunk-ingesting the centralized logging in the "AWS Landing Zone" ?
Any pointers appreciated (Splunk App for AWS would be kludgy for this from what we can tell, since multiple sourcetypes/accounts etc in the same-data-feed/broken-out into multiple data-feeds)
thanks
-tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johnansett
Communicator
10-02-2020
09:25 AM
Hey Tom, wondering where you ended up with this. We are going the same route and looking at the following:
1) Log all applicable events to central S3 bucket
2) Lambda function to split into multiple queues
3) Props/transforms to send to specific indexes (required for each account)
This was posted after your original post, but might be of some use depending on where you are with the deployment:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mtranchita
Communicator
05-21-2019
05:04 PM
My organization uses this model, logs from multiple AWS Accounts are centralized into a single AWS Account purpose built for aggregation. I've found using the Splunk App for AWS to be relatively simple to implement. The key was understanding, and making use of, prefixes and multiple buckets. YMMV but I would suggest testing things.
Hope that helps...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbot2001
Path Finder
02-11-2020
06:25 AM
Are you using AWS Cloudwatch agent to forward application logs to the centralized location?
Get Updates on the Splunk Community!
Introducing the Splunk Developer Program!
Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Splunkbase Year in Review 2024
Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...
Developer Spotlight with Brett Adams
In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
