Splunk Enterprise Security

How do I send AWS GuardDuty Logs to Splunk?

Path Finder

Hello all,

I'm currently trying to send AWS GuardDuty logs to Splunk and am hoping someone here can help.

I'm using a method I've seen documented several places online:

  1. Create an AWS CloudWatch Rule specifying AWS GuardDuty traffic.
  2. Create a Lambda Function using the "splunk-logging" blueprint. Specify the desired sourcetype within the Node.js code for this to function properly.
  3. Add the Lambda Function trigger to the CloudWatch Rule from Step 1.
  4. Create a Splunk HTTP Event Collector and copy the HEC Token.
  5. Enter the HEC Token and HEC URL to the Lambda Function so the logs are pointed to the correct resource (Splunk server).

I have completed the above and tried several variations, but no luck.

Any troubleshooting steps, alternative ways to accomplish this goal, or guides I have not found would be greatly appreciated. I would post the links to the resources I have found so far, but given a low "karma" count on this site, I am told my link would not publish in the final post.

Thank you.

0 Karma


Another interesting blog that guide to ingest 'AWS GuardDuty' data into Splunk

This solution uses:

  1. AWS Serverless Application
  2. AWS Kinesis stream
  3. Splunk GuardDuty Add-on
  4. Splunk Http Event Collector
0 Karma

Path Finder

Follow the steps mentioned in this blog for getting Guardduty logs to Splunk :


0 Karma

Path Finder


The initial setup described in my opening post is correct, but the Lambda script needs to contain the following:

1) Correct VPC
2) Correct Subnet
3) Correct Security Group
4) Correct Role

Without these, the Lambda script will not be able to access a non-default VPC, and the Lambda script will continuously timeout (the error I was originally receiving).

Also, this can be done with an AWS Kinesis stream, though I have not set this up myself: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...

This Kinesis Stream resolution may be required moving forward if Splunk does not update their blue-print for the AWS Lambda script. As of April 30, 2019, node.js v6.10 will be EOL in AWS and therefore the blueprint will be unavailable after this point.

Finally, the GuardDuty Add-on for Splunk should be installed to correctly parse the data that is ingested into Splunk.

Feel free to reach out if any questions on this.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...