Splunk Enterprise

Unable to parse message

taka
Observer

I used Splunk Add on for AWS to send log files stored in S3 to SQS using S3 event notifications, and configured Splunk to read the log files from SQS.

127f8442-ec25-4753-a79b-1f3d2ae825ea.png

 

However, I got an error saying that the S3 test message that is always sent first by S3 event notifications could not be parsed.

スクリーンショット 2024-04-12 9.58.09.png

 

Splunk on EC2 is given KMS decryption privileges as shown below.

 

            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
				"sqs:*",
                "s3:*",
                "kms:Decrypt"
            ],
            "Resource": [
				"arn:aws:sqs:ap-northeast-1:*************:poc-splunk-vpcflowlog*",
                "arn:aws:s3:::poc-splunk-vpcflowlog",
                "arn:aws:s3:::poc-splunk-vpcflowlog/*"

 

 

What could be the cause?

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...