- #Splunk inputs.conf update#
- #Splunk inputs.conf full#
- #Splunk inputs.conf software#
The Splunk platform indexes AWS Config events using three variations of this source type:
If you change the default value, you must update nf as well. Event extraction relies on the default value of source type. Enter a value only if you want to override the default of aws:config. For example, if your SQS queue URL is, then your SQS queue name is testQueue.Ī source type for the events.
The queue name is the final segment of the full queue URL. Select a queue from the drop-down list, or enter the queue name manually. The name of the queue to which AWS sends new Config notifications. The AWS region that contains the log notification SQS queue.
In Splunk Web, select an account from the drop-down list. The AWS account or EC2 IAM role the Splunk platform uses to access your Config data.
Fill out the fields as described in the table:. Click Create New Input > Config > Config. Click Splunk Add-on for AWS in the navigation bar on Splunk Web home. See the following sample inline policy to configure Config input permissions:įor more information and sample policies, see the following AWS documentation:Ĭonfigure a Config input using Splunk Web For the IAM user to get the Config snapshots: GetUser. 
For the Config snapshots: DeliverConfigSnapshot.For the SQS subscribed to the SNS Topic that collects Config notifications:.For the S3 bucket that collects your Config logs:.Set the following permissions in your AWS configuration: Grant IAM permissions to access the S3 bucket and SQS to the AWS account that the add-on uses to connect to your AWS environment.Ĭonfigure AWS permissions for the Config input.Subscribe the SQS exclusively to the SNS Topic that you created.If you used the AWS console, the Resource Lookup page displays. Verify that you completed the setup process.
Specify a new S3 bucket to save the data and an SNS Topic to which Splunk software streams Config notifications. Configure AWS Config to produce SNS notifications, and then create the SQS that the add-on can access. The Splunk Add-on for AWS collects events from a SQS that subscribes to the Simple Notification Service (SNS) notification events from AWS Config. Disable or delete testing configurations before releasing your configuration in production.Ĭonfigure AWS services for the Config input. Multiple enabled modular inputs can cause conflicts when trying to delete SQS messages or S3 records that another modular input is attempting to access and parse. Configure a single enabled Config modular input for each unique SQS. See for a full list of supported regions. This data source is available only in a subset of AWS regions, which does not include China. Configure an AWS Config input for the Splunk Add-on for Amazon Web Services on your data collection node through Splunk Web. Configure Simple Queue Service (SQS)-based S3 inputs to collect AWS data. Configure Config inputs either through Splunk Web or configuration files. See Configure AWS permissions for all Splunk Add-on for AWS inputs at once. You can skip this step and configure AWS permissions at once, if you prefer. Configure AWS permissions for the Config input. Configure AWS services for the Config input. See Manage accounts for the Splunk Add-on for AWS. You must manage accounts for the add-on as a prerequisite. Configure Config inputs for the Splunk Add-on for AWSĬomplete the steps to configure Config inputs for the Splunk Add-on for Amazon Web Services (AWS):
0 kommentar(er)
