Getting Data In

SQS-Based-S3 Input for Cloudtrail black list events

pstephens93
Explorer

I'm currently using SQS Based s3 input for cloudtrail and I'm trying to drop nosey events such as GET and LIST.
The documentation says the standard input supports exclude_describe_events and blacklist to filter out unwanted events which I set but after further looking into it it seems that a props/transform is needed. 

 

I have configured the following in props and transforms

props.conf 
[aws:cloudtrail]
TRANSFORMS-filter = eventsDrop

transforms.conf
#Filters out events that are not needed

[eventsDrop]
REGEX = "^Describe|Get|List\p{Lu}|LookupEvents"
DEST_KEY = queue
FORMAT = nullQueue                  

 

I tested the regex and it matches events but the events are not being dropped as expected. This is on a HF as that collects the logs before going into indexers 

Labels (3)
0 Karma

dwhitehead
New Member

I tried the same thing and found the same issue. I think the blacklist config is only compatible with the cloudtrail input NOT the sqs_based_s3 input. Really unfortunate as I wanted to switch to role based cloudtrail logging rather than aws account. Please put this on your bug litst Splunk.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...