I'm currently trying to send AWS GuardDuty logs to Splunk and am hoping someone here can help.
I'm using a method I've seen documented several places online:
I have completed the above and tried several variations, but no luck.
Any troubleshooting steps, alternative ways to accomplish this goal, or guides I have not found would be greatly appreciated. I would post the links to the resources I have found so far, but given a low "karma" count on this site, I am told my link would not publish in the final post.
Another interesting blog that guide to ingest 'AWS GuardDuty' data into Splunk
This solution uses:
Follow the steps mentioned in this blog for getting Guardduty logs to Splunk :
The initial setup described in my opening post is correct, but the Lambda script needs to contain the following:
1) Correct VPC
2) Correct Subnet
3) Correct Security Group
4) Correct Role
Without these, the Lambda script will not be able to access a non-default VPC, and the Lambda script will continuously timeout (the error I was originally receiving).
Also, this can be done with an AWS Kinesis stream, though I have not set this up myself: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...
This Kinesis Stream resolution may be required moving forward if Splunk does not update their blue-print for the AWS Lambda script. As of April 30, 2019, node.js v6.10 will be EOL in AWS and therefore the blueprint will be unavailable after this point.
Finally, the GuardDuty Add-on for Splunk should be installed to correctly parse the data that is ingested into Splunk.
Feel free to reach out if any questions on this.