Solved: CloudTrail data not showing in Splunk

alanwill · ‎12-02-2013

I'm using Splunk 6 with the Splunk for AWS app and trying to configure it to show CloudTrail data. I've created the SNS topic and SQS queue and can see messages in the queue but nothing is coming over to the Splunk index. The CloudTrail Log input is created, the keys are for an IAM user that has full describe access on the entire account, and I've tried entering the queue name both as the canonical name and the full arn.

Any idea what I'm missing or why this still isn't working?

Thanks,
alan

nkhetia · ‎12-02-2013

This issue has been resolved. IAM user didn't have enough permission to fetch data.

Allan, Could you resolve this question ?

thanks
Nilesh

View solution in original post

alanwill · ‎12-02-2013

Yes, it's resolved now. I was also able to figure out a more limiting ACL for the access keys rather than the Power User policy. You can limit access to just the queue created in SQS as follows:

{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"sqs:*",
"Resource":"arn:aws:sqs:us-east-1::"
}
]

}

nkhetia · ‎12-02-2013

This issue has been resolved. IAM user didn't have enough permission to fetch data.

Allan, Could you resolve this question ?

thanks
Nilesh

CloudTrail data not showing in Splunk

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

CloudTrail data not showing in Splunk

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey