Getting Data In

Granular AWS CT Account Logging using Log Prefix within Splunk TA for AWS

cfloquet
Path Finder

Hello, 

I realize this is a rather specific request so I'll keep it short and simple to see if anyone has had previous experience or any creative resolutions to this issue. 

I have successfully configured an AWS IAM role and user within a dedicated account on our AWS environment, where cloudtrail logs are sent to and kept in cold storage in the form of an s3 bucket. 

I have also successfully configured an incremental S3 input  which I've tested as working, but currently the volume of cloudtrail data from our AWS accounts exceeds that which we are licensed for in Splunk. 

I'm hoping there's some way within the Log Prefix field to basically choose what accounts/directory paths you want to monitor within the dedicated S3 bucket so I can only monitor the accounts I want without ingesting data from all other accounts. 

I'm sure this can be done in the form of an SQS queue on the AWS side of things, but before going that far I'm wondering what can be done given the access and configurations I've already made and obtained. 

Thanks in advance!

Labels (3)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...