Hi
We are having an issue with AWS App regards not displaying Cloudtrail info e.g. (VPC Flow Logs - Security)
The AWS-Add-on is receiving data from AWS i.e. if i search index=aws-cloudwatchlogs
I get results returned of the form:
"2 968645151068 eni-5e026f04 10.68.23.116 10.68.3.220 389 53532 6 7 486 1456224314 1456224370 ACCEPT OK
host = ourhost.com source = eu-west-1:FlowLogs/vpc-xxxxxxx:eni-5e026f04-all sourcetype = aws:cloudwatchlogs:vpcflow"
The splunkd.log indicates repeated WARN's entries of the form:
02-23-2016 10:36:56.156 +0000 WARN DateParserVerbose - A possible timestamp match (Mon Sep 11 04:05:51 2000) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::eu-west-1:FlowLogs/vpc-xxxxxxx:eni-0ba23051-all|host::ourhost.com|aws:cloudwatchlogs:vpcflow|
Other AWS input is being received correctly e.g. Billing, Description, Config
The datetime in the error message (Mon Sep 11 04:05:51 2000), correlates to our account number (the account id is embedded in 1 of the raw fields (using this http://www.onlineconversion.com/unix_time.htm)
Any ideas as to what is going wrong / where to look - would be appreciated.
Thanks
↧