Gain critical operational and security visibility into your AWS account using the Splunk App for AWS. The app offers a pre-built knowledge base of dashboards and reports to deliver real-time visibility into your environment using data from AWS CloudTrail, Config and Billing.
• Leverage your CloudTrail data, to get insights into security-related activity such as unauthorized access attempts, simultaneous logins from disparate locations and changes to access control privileges.
• Use your AWS Config data to understand configuration changes AWS resources relationships.
• Correlate CloudTrail and Config data to gain a comprehensive security and compliance view of your account
• Paired with Splunk Add-on for Amazon Web Services, the app also provides critical billing and account information.
To deploy Splunk Enterprise in AWS, find the Splunk Enterprise AMI in the AWS Marketplace . To get all features of Splunk Enterprise as software-as-a-service, check out Splunk Cloud or sign up for our Free Online Sandbox.
What's new in version 3.0:
- Modular input for collection provided by Splunk Add-on for Amazon Web Services
- New dashboards for AWS CloudTrail:
- User Activity Tracking
- Alerts for AWS Cloudtrail (use them as templates to build your own or simply customize and enable)
- Modular input for collection provided by Splunk Add-on for Amazon Web Services v1.1.0
- New dashboards for AWS Config:
- Resource Type Changes
- Resource Changes
- Resource Relationship
Billing reports are provided by Splunk Add-on for Amazon Web Services. For information on how to enable billing and see associated reports please click here.
WARNING! Version 3 is NOT backwards compatible with version 2. This version is a complete replacement and you may not have the same content.
- Splunk 6.1 or later
- Splunk Add-on for Amazon Web Services
Splunk Add-on for Amazon Web Services +1.1.0 required for AWS Config
- AWS CloudTrail: Enable CloudTrail with SQS and SNS. More here
- AWS Config: Enable Config with SQS and SNS. More here.
- Billing: Refer to the AWS documentation to turn on AWS detailed billing. Start here
Installation and configuration
Step 1: Download and install Splunk Add-on for Amazon Web Services
- Use version +1.1.0 of the Add-on collecting AWS Config notifications.
- To install either version of the Add-on follow these insructions
Step 2: Configure the Add-on
- To configure your Add-on follow its insructions
- To configure specific inputs go to Settings > Data inputs in Splunk Web and select AWS CloudTrail and/or AWS Config. For each of the options you will need to select the appropriate AWS Account, SQS Queue Region and SQS Queue Name.
- Under More Settings the following options are recommended for AWS CloudTrail and AWS Config:
- Data is labeled with sourcetype aws:cloudtrail
- A separate index named aws-cloudtrail is selected as the destination index
- Data is labeled with sourcetype aws:config
- A separate index named aws-config is selected as the destination index
Step 3 Install and configure the Splunk App for AWS
Install the app on your Search Head either via UI or CLI
- Download from Splunk Apps.
- From the Splunk Web interface, click on Apps > Manage Apps to open the Apps Management page.
- Click Install app from file, locate the downloaded file, and click Upload.
- Restart Splunk Enterprise if instructed to do so.
- If index and sourcetype definitions are the same as above, no other action are necessary. Otherwise, change macros.conf to reflect appropriate CloudTrail and Config index and sourcetype selections.
- Enable and modify AWS CloudTrail Alerts according to your requirements. Alerts ship disabled and with a default scheduled interval of 15min.
Notes on lookup files:
- all_eventName.csv: an automatically updated file with AWS CloudTrail eventNames. The file also contains a 'highlight' field that is used to base highlighting of CloudTrail's eventName in dashboards. Use this field to color eventNames according to your severity definitions.
- protocols.csv: a static lookup table with network protocol numbers-to-name translations
- regions: a static lookup table with AWS regions and their geographical locations
- resourceType.csv: an automatically updated file with AWS Config resource types.
I already know Splunk!
If you are an experienced Splunk administrator, here are the key points for this app:
- Requires installation of the Splunk add-on for AWS
- To collect AWS Config data, you must use version +1.1.0 of the Add-on
- This app is NOT backwards compatible with v2 and is completely new: do not install if you want to keep stuff from v2
- It recommends the use of these index names: aws-cloudtrail, aws-config
- It uses these two sourcetypes: aws:cloudtrail, aws:config
- Installs the above lookups.