Hi
I am running an splunk instance within my AWS account, and i'm trying to setup an Cloudtrail SQS based S3 imput. The cloud trail logs are stored in a bucket (auditlogs) in separate account, which I access via a switch role.
I have done the following however no data appears in index I have selected
- Created an IAM policy with the required permissions
- Created the required SQS Queue, granting permissions to the auditlogs bucket to post events.
- Added an event notification on the S3 bucket to forward 'Object-created' events to my SQS Queue
- Confirmed that the SQS Queue is receiving messages
- Added a new input within the AWS Add on for splunk web, using my auto discovered IAM role
- Requested for the input sends data to my aduit index.
- Checked the logs on the splunk instance and found no errors, other issues.
Questions
- The documentation seems very unclear on the need to have an SNS topic in the middle here? Is it a requirement that SQS is updated via a subscription to an SNS topic. Specifically S3 > SNS > SQS > Splunk? Or would S3 > SQS > Splunk also work?
- My auto discovered IAM role applied to the splunk EC2 instance is in a separate account to the S3 bucket i'm trying to import data from. Is this going to cause me issues - I assume this is the issue, but there
I would appreciate any guidance here!
Thanks
↧