Search
  • Todd Waller

Splunk and the Amazon Web Services app, Tips and Tricks

Hello Everyone


Hope everyone is happy as possible and staying safe .


Its hard out there right now, make sure you're taking care of yourselves.


Todays topic I wanted to blog about due to a recent experience I had setting up the Splunk for AWS app. I had a fair amount of trouble even following the install guides as there are many underlying components that go into starting and successfully making the connection to AWS and its various endpoints.


So I'm going to briefly go over a few things I had to find on my own to make it work. Splunk Support had no idea how to resolve my issues. In fact, the engineer said he's "never seen that message".


Its pretty basic for the most part so follow the docs as instructed.


MOTE: Make sure you install the version that's compatible with your specific Splunk installation version.


You can find the docs here: http://docs.splunk.com/Documentation/AddOns/latest/AWS/Description


Make sure your account on the AWS end is give enough rights and make sure it can assume the role that is created.


Once the app is installed I would create the Roll first. Get the info from you AWS setup

You will need the Role ARN for this step:


From there setup your proxy settings(if you're using them):

Then you can setup the account:

Once all of this is done you can add the Inputs on the Inputs tab: This tab at first will be empty so click "Create New Input" For me it was a generic S3 input so I added a "Generic S3" Input Type:


When creating the setup for this input I hit an error:

The first part was easy to find and correct. We needed to add our custom certs to the /certify path within the /bin/3rdparty directory in the app.



After doing this and restarting Splunk I continuously got this message trying to add the input. SO i grepped through each directory and found another spot WITHIN A TXT FILE that theses certs must be added as well. It is within the /bin/3rdparty /boto directory it must be added as well.


Once I added the certs to the txt file and restarted I was able to successfully create all the inputs.


Hopefully this helps someone having the issues that I was running into.

It took a VERY long time to find the /boto/cacerts.txt fix.


Stay safe and happy.


-Todd

17 views0 comments

Recent Posts

See All

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a