AWS add-on is running on a Splunk Head for test purpose and we are trying to fetch CloudTrail logs. Account, input source and proxy configuration seems to be correct. But I can't see any search result from AWS on results and only log files which are configured separately listed on 'Data Summary'.
Here are some logs for connection:
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:231 | taaws.s3util.connect_sqs done
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:238 | taaws.s3util.connect_s3
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:240 | taaws.s3util.connect_s3 done
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:241 | Connect to S3 & Sqs sucessfully
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:247 | sqs_conn.get_queue
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:248 | sqs queue: LogQueue
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:250 | sqs_conn.get_queue done
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:268 | sqs_queue.set_message_class
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:270 | sqs_queue.set_message_class done
DEBUG pid=14002 tid=MainThread file=aws_cloudtrail.py:stream_events:274 | sqs_queue.get_messages
And here are logs for incoming data:
==> splunk_ta_aws_cloudtrail_main.log <==
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:569 | s3_conn.get_bucket done
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:572 | s3_conn.get_key AWSLogs/155885828834/Cl
oudTrail/us-east-1/2016/04/13/155885828834_CloudTrail_us-east-1_20160413T0720Z_XiPrJidGAZJ0sNYa.json.gz
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:574 | s3_conn.get_key done
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:578 | load gzip file
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:582 | load gzip file done
INFO pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:625 | processing 13 records in s3:sony-gwt-clo
udtrail-bucket/AWSLogs/155885828834/CloudTrail/us-east-1/2016/04/13/155885828834_CloudTrail_us-east-1_20160413T0720Z_XiPrJidGAZJ0sNYa.json.gz
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event DescribeInstances with ti
mestamp 2016-04-13T07:12:50Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event DescribeTags with timesta
mp 2016-04-13T07:13:04Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event CreateTags with timestamp
2016-04-13T07:13:01Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event DescribeInstances with ti
mestamp 2016-04-13T07:13:02Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event DescribeLoadBalancers wit
h timestamp 2016-04-13T07:14:11Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event CreateTags with timestamp
2016-04-13T07:13:03Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event ChangeResourceRecordSets
with timestamp 2016-04-13T07:13:06Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event DescribeLoadBalancers wit
h timestamp 2016-04-13T07:14:28Z
DEBUG pid=15202 tid=MainThread file=aws_cloudtrail.py:process_CT_notifications:638 | writing event DescribeTags with timesta
mp 2016-04-13T07:13:03Z
Do you any idea why we can't see any of data on search results? Btw nearly all of the configs are on default state.
↧