Solved: CloudTrail data not showing in Splunk

alanwill · ‎12-02-2013

I'm using Splunk 6 with the Splunk for AWS app and trying to configure it to show CloudTrail data. I've created the SNS topic and SQS queue and can see messages in the queue but nothing is coming over to the Splunk index. The CloudTrail Log input is created, the keys are for an IAM user that has full describe access on the entire account, and I've tried entering the queue name both as the canonical name and the full arn.

Any idea what I'm missing or why this still isn't working?

Thanks,
alan

nkhetia · ‎12-02-2013

This issue has been resolved. IAM user didn't have enough permission to fetch data.

Allan, Could you resolve this question ?

thanks
Nilesh

View solution in original post

alanwill · ‎12-02-2013

Yes, it's resolved now. I was also able to figure out a more limiting ACL for the access keys rather than the Power User policy. You can limit access to just the queue created in SQS as follows:

{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"sqs:*",
"Resource":"arn:aws:sqs:us-east-1::"
}
]

}

nkhetia · ‎12-02-2013

This issue has been resolved. IAM user didn't have enough permission to fetch data.

Allan, Could you resolve this question ?

thanks
Nilesh

CloudTrail data not showing in Splunk

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

CloudTrail data not showing in Splunk

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience