CloudWatch Log inputs - Splunk Add-on for Amazon Web Services (2024)

Complete the steps to configure CloudWatch Log inputs for the SplunkAdd-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
  2. Configure AWS services for the CloudWatch Log input.
  3. Configure AWS permissions for the CloudWatch Log input.
  4. (Optional) Configure VPC Interface Endpoints for STS and logs services from your AWS Console if you want to use private endpoints for data collection and authentication. For more information, see the Interface VPC endpoints (AWS PrivateLink) topic in the Amazon Virtual Private Cloud documentation.
  5. Configure CloudWatch Log inputs either through Splunk Web or configuration files.

Due to rate limitations, don’t use pull-based (API) input configurationsto collect CloudWatch Log data which has the source typeaws:cloudwatchlogs:*. Instead, use push-based (Amazon KinesisFirehose) input configurations to collect CloudWatch Log and VPC FlowLogs. The push-based (Amazon Kinesis Firehose) input configurations forthe Splunk Add-on for AWS include index-time logic to perform thecorrect knowledge extraction for these events through the Kinesis inputas well.

Configure AWS permissions for the CloudWatch Log input

Required permissions for Logs:

  • DescribeLogGroups
  • DescribeLogStreams
  • GetLogEvents
  • s3:GetBucketLocation

See the following sample inline policy to configure CloudWatch Log inputpermissions:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "*" } ]}

You must also ensure that your role has a trust relationship that allowsthe flow logs service to assume the role. While viewing the IAM role,choose Edit Trust Relationship and replace that policy with thisone:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}

Configure a CloudWatch Logs input using Splunk Web

To configure inputs using Splunk Web, click Splunk Add-on for AWS inthe navigation bar on Splunk Web home, then choose one of the followingmenu paths depending on the data type you want to collect:

  • Create New Input > VPC Flow Logs > CloudWatch Logs
  • Create New Input > Custom Data Type > CloudWatch Logs

Fill out the fields as described in the table:

Argument in configuration file

Field in Splunk Web

Description

account

AWS Account

The AWS account or EC2 IAM role the Splunk platform uses toaccess your CloudWatch Logs data. In Splunk Web, select an account fromthe drop-down list. In aws_cloudwatch_logs_tasks.conf,enter the friendly name of one of the AWS accounts that you configuredon the Configuration page or the name of the automatically discoveredEC2 IAM role.

region

AWS Region

The AWS region that contains the data. Inaws_cloudwatch_logs_tasks.conf, enter the regionID.

private_endpoint_enabled

Use Private Endpoints

Check the checkbox to use private endpoints of AWS Security TokenService (STS) and AWS Simple Cloud Storage (S3) services forauthentication and data collection. In inputs.conf, enter 0or 1 to respectively disable or enable use of privateendpoints.

logs_private_endpoint_url

Private Endpoint (Logs)

Private Endpoint (Interface VPC Endpoint) of your logs service,which can be configured from your AWS console.
Supported Formats :
://vpce--.logs..vpce.amazonaws.com://vpce---.logs..vpce.amazonaws.com

sts_private_endpoint_url

Private Endpoint (STS)

Private Endpoint (Interface VPC Endpoint) of your STS service,which can be configured from your AWS console.
Supported Formats :
://vpce--.sts..vpce.amazonaws.com://vpce---.sts..vpce.amazonaws.com

groups

Log group

A comma-separated list of log group names.
Do not use wildcards.

only_after

Only After

GMT time string in '%Y-%m-%dT%H:%M:%S' format. If set, onlyevents after this time are queried and indexed. Defaults to1970-01-01T00:00:00.

stream_matcher

Stream Matching Regex

REGEX to strictly match stream names. Defaults to.*

interval

Interval

The number of seconds to wait before the Splunk platform runs thecommand again. The default is 600 seconds.

metric_index_flag

Use Metric Index?

Whether to use metric index or event index. The default value is No (use event index). This field is only visible when creating VPC Flow Logs -> CloudWatch Logs inputs.

sourcetype

Source type

A source type for the events.
If you are indexing VPC Flow Logdata through CloudWatch Logs:

  1. If using event index, the sourcetype value is aws:cloudwatchlogs:vpcflow.
  2. If using metric index, the sourcetype value is aws:cloudwatchlogs:vpcflow:metric.
Enter aws:cloudwatchlogs if you arecollecting any other types of CloudWatch Logs data.

index

Index

The index name where the Splunk platform puts the CloudWatch Logsdata. The default is main.

query_window_size

Query Window Size (minutes)

Specify the interval of data to be collected in each request(in minutes). Default=10, Min=1 & Max=43200(30days).

For example, if the calculated start date is 2024-01-01T00:00:00 (midnight on January 1, 2024) and query window size is 60 minutes, then end date for the request will be 2024-01-01T00:01:00 (one hour after midnight). The time period will continue sliding by 60 minutes until no more recent logs are available..

Configure a CloudWatch Logs input using configuration files

To configure the input using configuration files, create$SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_cloudwatch_logs_tasks.confusing the following template:

[<name>]account = <value>groups = <value>index = <value>interval = <value>only_after = <value>region = <value>private_endpoint_enabled = <value>logs_private_endpoint_url = <value>sts_private_endpoint_url = <value>sourcetype = <value>stream_matcher = <value>metric_index_flag = <value>query_window_size = <value>

Here is an example stanza that collects VPC Flow Log data from two loggroups:

[splunkapp2:us-west-2]account = splunkapp2groups = SomeName/DefaultLogGroup, SomeOtherName/SomeOtherLogGroupindex = defaultinterval = 600only_after = 1970-01-01T00:00:00region = us-west-2sourcetype = aws:cloudwatchlogs:vpcflowstream_matcher = eni.*metric_index_flag = 0query_window_size = 10
CloudWatch Log inputs - Splunk Add-on for Amazon Web Services (2024)
Top Articles
Jvid Rina Sauce
Problem 19 Construct the confidence interva... [FREE SOLUTION]
Strange World Showtimes Near Amc Brazos Mall 14
Jody Plauche Wiki
Fnv Mr Cuddles
Memphis Beauty 2084
Restaurants Near Defy Trampoline Park
Mets Game Highlights
On Trigger Enter Unity
Wgu Academy Phone Number
Allegra Commercial Actress 2022
Rimworld Prison Break
Tinyzonetv.to Unblocked
How 'The Jordan Rules' inspired template for Raiders' 'Mahomes Rules'
Amazing Lash Bay Colony
The Exorcist: Believer Showtimes Near Regal Waugh Chapel
Battlenet We Couldn't Verify Your Account With That Information
Coleman Funeral Home Olive Branch Ms Obituaries
Weather Arlington Radar
Eaglecraft Minecraft Unblocked
Antonios Worcester Menu
Reptile Expo Spokane
Pennys Department Store Near Me
Dell Optiplex 7010 Drivers Download and Update for Windows 10
Perry County Mugshots Busted
Calamity Shadow Fish
Why Zero Raised to the Zero Power is defined to be One « Mathematical Science & Technologies
Adventhealth Employee Handbook 2022
Minor Additions To The Bill Crossword
Should Jenn Tran Join 'Bachelor in Paradise'? Alum Mari Pepin Weighs In
Sentara Norfolk General Visiting Hours
Ontpress Fresh Updates
Late Bloomers Summary and Key Lessons | Rich Karlgaard
Walgreens Rufe Snow Hightower
Hospice Thrift Store St Pete
Warrior Badge Ability Wars
Craigslist Pinellas County Rentals
Smarthistory – Leonardo da Vinci, “Vitruvian Man”
Scarabaeidae), with a key to related species – Revista Mexicana de Biodiversidad
Rage Of Harrogath Bugged
Limestone Bank Hillview
Congdon Heart And Vascular Center
Z93 Local News Monticello Ky
Incident Manager (POS & Kiosk) job in Chicago, IL with McDonald's - Corporate
4225 Eckersley Way Roseville Ca
Green Press Gazette Obits
4Myhr Mhub
Busted Newspaper Lynchburg County VA Mugshots
Akc Eo Tryouts 2022
Transportationco.logisticare
C Weather London
Latest Posts
Article information

Author: Kimberely Baumbach CPA

Last Updated:

Views: 5471

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.